Re: ISSUE-235 (Auditability requirement for security) from Roy T. Fielding on 2014-10-22 (public-tracking@w3.org from October 2014)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 22 Oct 2014 09:40:38 -0700
To: Justin Brookman <jbrookman@cdt.org>
Cc: Walter van Holst <walter.van.holst@xs4all.nl>, Tracking Protection Working Group <public-tracking@w3.org>
Message-Id: <8A3BA1F0-38E9-4AC0-833D-62FC56798F96@gbiv.com>

On Oct 22, 2014, at 8:40 AM, Justin Brookman wrote:
> On Oct 22, 2014, at 11:34 AM, Walter van Holst <walter.van.holst@xs4all.nl> wrote:
>> On 2014-10-22 17:15, Justin Brookman wrote:
>>> What do you want this standard to require
>>> — that companies prepare some sort of documentation in advance of a
>>> request?  That they architect their systems in ways that can be
>>> comprehended by a regulator?  I think there was agreement that a
>>> general requirement of “auditability” was confusing and certainly not
>>> testable, but if you have a more concrete suggestion in mind, I think
>>> people would be open-minded.
>> 
>> I still object to applying the same testability criteria to the compliance spec as we do to the technical spec. They are worlds apart and it is inherent to any compliance spec that it will contain elements that are ultimately only testable in court. It is more of a contract than of a technical specification. When I draft a contract with audit clauses, I typically rely on what an EDP auditor would consider "auditable". That field has a long history to ascertain the extent to which an organisation has taken plausible safeguards against unauthorised access to and manipulation of transaction data. May I suggest the inclusion of similar, but non-normative, language to clarify that notion of "auditability”?

The notion of testability is essential in voluntary standards.  We cannot
comply with an undefined rule, so we do not allow them in any document.
It doesn't matter if some court might be able to define that rule at a
later date; if that happens, the rule can be added to the spec at that
time when it has a court-defined definition.

Also, some people have misconstrued testability to mean that the remote
participant needs to be able to test the requirement. That is not true.
It only needs to be testable by someone inspecting the behavior of the
implementation in accordance with the standard, which could be anyone
(including the user that installed a copy of the implementation).

....Roy

Received on Wednesday, 22 October 2014 16:40:54 UTC