W3C home > Mailing lists > Public > public-tracking@w3.org > October 2014

Re: ISSUE-235 (Auditability requirement for security)

From: Walter van Holst <walter.van.holst@xs4all.nl>
Date: Wed, 22 Oct 2014 18:52:02 +0200
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Justin Brookman <jbrookman@cdt.org>, Tracking Protection Working Group <public-tracking@w3.org>
Message-ID: <5b0b138688af81513d626acff3779895@xs4all.nl>
On 2014-10-22 18:40, Roy T. Fielding wrote:

> Also, some people have misconstrued testability to mean that the remote
> participant needs to be able to test the requirement. That is not true.
> It only needs to be testable by someone inspecting the behavior of the
> implementation in accordance with the standard, which could be anyone
> (including the user that installed a copy of the implementation).

We may have a clash of jargons here (again). The way you describe 
testability is still more restrictive than is realistic for a compliance 
specification I think, but one that is workable to a point. Legal people 
tend to use "transparency" in the sense that it is predictable whether 
something meets a requirement or not without having to invoke the courts 
(which none should ever willingly do anyway). I do agree that 
testability in that way is very much worth striving for, but not meeting 
that ultimate bar should not be out of the question. Also I would say 
that someone in the field of installing implementations that intend to 
adhere to DNT:1 should be at least somewhat familiar with the basics of 
access control to webserver logfiles.

Also, I have never understood 'testable' as verifiable by a remote 
participant. Although that would be lovely to have whenever technically 
possible, which it very rarely is.


Received on Wednesday, 22 October 2014 16:52:49 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:24 UTC