Re: Thanks to all and next steps from Joseph Potvin on 2015-06-26 (public-webpayments-ig@w3.org from June 2015)

From: Joseph Potvin <jpotvin@opman.ca>
Date: Fri, 26 Jun 2015 11:02:45 -0400
To: Web Payments IG <public-webpayments-ig@w3.org>
Message-ID: <CAKcXiSruCXCMrOaORSR28qis+Vj44rhdbKuzhtcfAXxhasRPBg@mail.gmail.com>
RE: "ISO Standards being made mandatory"

Whatever the reasons some WC3 members may have for not wanting to
explicitly or implicitly require conformance with external global standards
or specifications, possibly the following approach would supply a workable
solution:

***

*Any explicit requirement or reference in the W3C specification to another
external standard or specification that is developed and maintained by a
separate global standards body, will be followed by words such as “or
compatible”, unless the W3C has been directly involved in the development
and maintenance of that external standard or specification.*

***

Source for this idea: I've borrowed the underlying logic of Paragraph 3 in
Article VI: Technical Specifications of the WTO Agreement on Government
Procurement
https://www.wto.org/english/docs_e/legal_e/gpr-94_01_e.htm#articleVI.  This
logic is also implemented in regional trade agreements.

By using the phrase "or compatible" (the WTO phrase is a narrower "or
equivalent"), we accommodate the scenario whereby any other specification
(particular to a country, a supply chain, a widely deloyed solution, etc.)
would be suitable so long as it can semantically map with the named
external global standard. Compatibilty can be demonstrated/tested with the
mapping tables.

Is that approach good enough for consensus?  We would therefore say "ISO
20022 or compatible", etc.

***

RE: "Security Framework" & "US hasn't taken a mandatory approach yet. Other
countries have but not the US."

A view from this month's UNCITRAL meeting on global digital identity:

"What's hampering the use of Electronic identification (eID) and electronic
Trust Services (eTS) in global businesses?
- Lack of legal predictability cross-border
- Diversity of legal frameworks
   * differences in legal effects
   * national/regional legal frameworks
   * differences in security and accountability obligations
   * difference in liability regimes
- Lack of interoperability on a global level
- National silos vs global digital market/businesses
- Lack of transparency on the quality of the services
- Trust and security aspects"

Source:
"Open issues on Electronic Commerce: the digital identity"
Presentation by Andrea Servida, Head of eIDAS Task Force, DG CONNECT,
European Commission
UNCITRAL Workshop, 10 June 2015
http://www.blogstudiolegalefinocchiaro.it/wp-content/uploads/2015/06/servida-Bologna_10_06_2015.pdf

***

Joseph Potvin
On behalf of DataKinetics http://www.dkl.com
Operations Manager | Gestionnaire des opérations
The Opman Company | La compagnie Opman
jpotvin@opman.ca
Mobile: 819-593-5983

On Fri, Jun 26, 2015 at 9:28 AM, Erik Anderson <eanders@pobox.com> wrote:

> From my brief exchange with some in the F2F, I interpreted the
>> "reservation"
>> or skepticism was more along the lines of ISO Standards being made
>> mandatory.
>>
>
> US hasnt taken a mandatory approach yet. Other countries have but not the
> US.
>
> This is true in the financial services world but for security, not for
> something like ISO 20022 nor ISO 12812.
>
> Obama executive order on cybersecurity issued a recommendation for a
> "Security Framework" that would be a NIST + ISO standard.
>
> Short term incentive was
> 1) Firms who implement the Framework, in good faith, will not be punished
> for weaknesses identified during vulnerability assessments in their programs
> 2) A shift in liability if fraud/data breaches/personal information was
> stolen and the Framework was not followed.
>
> The long term was to turn the Framework into a mandatory compliance
> mechanism that included end-to-end data security, enhanced key management
> mechanisms, and constant risk assessment of
> security/vulnerability/penetration scanning.
>
> This will effect the W3C Web Payments. I will be pushing that the Web
> Payments standards go through this Government/NIST risk assessment, both at
> the W3C level and IETF level. This is happening and will be the hot topic
> within the Federal Reserve Security Taskforce.
>
> I covered this on my presentation.
>
> W3C Web Payment standard mandatory? ISO? X9? Not likely.
> Identity/Credentials = maybe. End-to-end security = absolutely.
>
> Erik Anderson
> Bloomberg R&D
>
>
>
Received on Friday, 26 June 2015 15:03:35 UTC