Re: XSPA "certification" test bed idea

[James Bryce Clark <jamie.clark@oasis-open.org>]

David Staggs asked us, recently, whether some kind of validating or
test web service might be created, to be pinged and accessed on a
self-help (or other) basis by what he called "advanced,
standards-based security and privacy reference implementations";  and
whether a standards organization could do the hosting.

Well, let me mention that it's obviously possible, as several SDOs do
something similar.  The Open Group validates Unix standards;  WS-I
(which recently merged into OASIS) and W3C both offered testing tools
and validators for years.

Still, doing this right, with appropriate neutrality and policy
compliance, takes some planning and thought.

First, what kind of claims of conformance, or interoperability, or
best practice or informal confirmation, are you seeking to support,
with such a facility?  There are some issues around liability and
proper disclaimers; and whether a test reaches all the mandatory parts
of a spec.  And who should initially "expert-ize" the conclusion that
the test service correctly validates?   (The phrase "reference
implementation" also can be problematic.  We can talk about that
further if you like.)

Second, if that service is maintained over time, and might be updated
or changed, who owns it?  In the governance sense of having the
authority to make changes.

Third, there's an obvious IT platform issue.  Any idea what
requirements are expected?

Finally, any host would need to make clear the terms of availability
and licensure.  Maybe easier, with US government-donated executables,
as often that work is free of copyright by statute.

So, not at all impossible, but a further feasibility chat would be
needed with the interested proponents about their goals & needs.

Regards  Jamie

~ James Bryce Clark
~ General Counsel, OASIS
~ http://www.oasis-open.org/who/staff.php#clark