Re: Thanks to all and next steps

> On Jun 26, 2015, at 8:02 AM, Joseph Potvin <jpotvin@opman.ca> wrote:
> 
> RE: "ISO Standards being made mandatory"
> 
> Whatever the reasons some WC3 members may have for not wanting to explicitly or implicitly require conformance with external global standards or specifications, possibly the following approach would supply a workable solution:
> 
> ***
> 
> Any explicit requirement or reference in the W3C specification to another external standard or specification that is developed and maintained by a separate global standards body, will be followed by words such as “or compatible”, unless the W3C has been directly involved in the development and maintenance of that external standard or specification.
> 
> ***
> 
> Source for this idea: I've borrowed the underlying logic of Paragraph 3 in Article VI: Technical Specifications of the WTO Agreement on Government Procurement
> https://www.wto.org/english/docs_e/legal_e/gpr-94_01_e.htm#articleVI <https://www.wto.org/english/docs_e/legal_e/gpr-94_01_e.htm#articleVI>.  This logic is also implemented in regional trade agreements.
> 
> By using the phrase "or compatible" (the WTO phrase is a narrower "or equivalent"), we accommodate the scenario whereby any other specification (particular to a country, a supply chain, a widely deloyed solution, etc.) would be suitable so long as it can semantically map with the named external global standard. Compatibilty can be demonstrated/tested with the mapping tables.
> 
> Is that approach good enough for consensus?  We would therefore say "ISO 20022 or compatible", etc.

I don’t think this is really much different. I concur with Adrian that the messaging standard used is specific to both the payment instrument and the jurisdictional preference. There will be payment schemes we haven’t even thought of in the future, and we need to account for them (ISO 20022 does not). 

Again, to echo Adrian - if a payment instrument decides its messaging must be compliant with a particular standard then that is totally fine. But defining the nuances of how a specific instrument works doesn’t seem like something in scope here.

> 
> ***
> 
> RE: "Security Framework" & "US hasn't taken a mandatory approach yet. Other countries have but not the US."
> 
> A view from this month's UNCITRAL meeting on global digital identity:
> 
> "What's hampering the use of Electronic identification (eID) and electronic Trust Services (eTS) in global businesses?
> - Lack of legal predictability cross-border
> - Diversity of legal frameworks
>    * differences in legal effects
>    * national/regional legal frameworks
>    * differences in security and accountability obligations
>    * difference in liability regimes
> - Lack of interoperability on a global level
> - National silos vs global digital market/businesses
> - Lack of transparency on the quality of the services
> - Trust and security aspects"
> 
> Source:
> "Open issues on Electronic Commerce: the digital identity"
> Presentation by Andrea Servida, Head of eIDAS Task Force, DG CONNECT, European Commission
> UNCITRAL Workshop, 10 June 2015
> http://www.blogstudiolegalefinocchiaro.it/wp-content/uploads/2015/06/servida-Bologna_10_06_2015.pdf <http://www.blogstudiolegalefinocchiaro.it/wp-content/uploads/2015/06/servida-Bologna_10_06_2015.pdf>
> 
> ***
> 
> Joseph Potvin
> On behalf of DataKinetics http://www.dkl.com <http://www.dkl.com/>
> Operations Manager | Gestionnaire des opérations
> The Opman Company | La compagnie Opman
> jpotvin@opman.ca <mailto:jpotvin@opman.ca>
> Mobile: 819-593-5983
> 
> On Fri, Jun 26, 2015 at 9:28 AM, Erik Anderson <eanders@pobox.com <mailto:eanders@pobox.com>> wrote:
> >From my brief exchange with some in the F2F, I interpreted the "reservation"
> or skepticism was more along the lines of ISO Standards being made mandatory.
> 
> US hasnt taken a mandatory approach yet. Other countries have but not the US.
> 
> This is true in the financial services world but for security, not for something like ISO 20022 nor ISO 12812.
> 
> Obama executive order on cybersecurity issued a recommendation for a "Security Framework" that would be a NIST + ISO standard.
> 
> Short term incentive was
> 1) Firms who implement the Framework, in good faith, will not be punished for weaknesses identified during vulnerability assessments in their programs
> 2) A shift in liability if fraud/data breaches/personal information was stolen and the Framework was not followed.
> 
> The long term was to turn the Framework into a mandatory compliance mechanism that included end-to-end data security, enhanced key management mechanisms, and constant risk assessment of security/vulnerability/penetration scanning.
> 
> This will effect the W3C Web Payments. I will be pushing that the Web Payments standards go through this Government/NIST risk assessment, both at the W3C level and IETF level. This is happening and will be the hot topic within the Federal Reserve Security Taskforce.
> 
> I covered this on my presentation.
> 
> W3C Web Payment standard mandatory? ISO? X9? Not likely. Identity/Credentials = maybe. End-to-end security = absolutely.
> 
> Erik Anderson
> Bloomberg R&D
> 
> 
> 

Received on Friday, 26 June 2015 15:55:52 UTC