Re: Best Practices for Outsourcing (ACTION-47, ISSUE-49)

On Mar 16, 2012, at 7:31 PM, Jonathan Mayer wrote:

> I'm no expert in W3C lingo, so let me explain what I want the language to do.

Perhaps this non-W3C explanation might help:

  http://www.alistapart.com/articles/readspec/

> As written, the outsourcing operative text requires "reasonable" technical precautions.  In many legal contexts, especially related to electronic privacy and security, "reasonable" has been read as a near-nullity.  (For example, "as long as reasonably necessary" retention limits.)  I don't want that to happen here, and I think we had consensus in Santa Clara that that's not the intent.
> 
> This text gives some contours to what we have in mind by "reasonable."  It is non-normative in that it does not require any particular technical implementation.  But it is also not merely a collection of best practices - the standard would require use of technologies that have similar privacy properties to these examples.
> 
> Jonathan

Please understand that the above translates to:

  This text adds requirements that the WG has not agreed to.

Any requirements made by the standard are normative, whether
they are about technology, behavior, presentation, or anything else.
If we don't reach agreement on a requirement, which generally means
that we all agree that the constraint is necessary to achieve the
protocol's purpose and is capable of being tested for conformance,
then it does not belong in the standard.

That does not mean it can't be phrased in such a way that it is
not considered a protocol requirement, but rather as a best practice.
Best practice documents take the standard as input and describe how
actual implementations have managed to conform to those requirements
(or failed to conform to them, when negative examples are available).
They tend to be very powerful documents, because many people prefer
to implement by example rather than read the standard.

....Roy

Received on Monday, 19 March 2012 21:59:45 UTC