Re: ISSUE-235 (Auditability requirement for security)

On 2014-10-22 18:40, Roy T. Fielding wrote:

> Also, some people have misconstrued testability to mean that the remote
> participant needs to be able to test the requirement. That is not true.
> It only needs to be testable by someone inspecting the behavior of the
> implementation in accordance with the standard, which could be anyone
> (including the user that installed a copy of the implementation).

We may have a clash of jargons here (again). The way you describe 
testability is still more restrictive than is realistic for a compliance 
specification I think, but one that is workable to a point. Legal people 
tend to use "transparency" in the sense that it is predictable whether 
something meets a requirement or not without having to invoke the courts 
(which none should ever willingly do anyway). I do agree that 
testability in that way is very much worth striving for, but not meeting 
that ultimate bar should not be out of the question. Also I would say 
that someone in the field of installing implementations that intend to 
adhere to DNT:1 should be at least somewhat familiar with the basics of 
access control to webserver logfiles.

Also, I have never understood 'testable' as verifiable by a remote 
participant. Although that would be lovely to have whenever technically 
possible, which it very rarely is.



Received on Wednesday, 22 October 2014 16:52:49 UTC