OpenChain-Project / Security-Assurance-Specification

Other
21 stars 7 forks source link

[Improvement] SMK24 - Check if time limits are consistent #17

Closed shanecoughlan closed 1 year ago

shanecoughlan commented 2 years ago

SMK24: 3.4.2.1: The 18m time limit is now consistent with the range of time limits given in 3.4.2.

shanecoughlan commented 1 year ago

Potential issue in 3.4.2 verification materials vs main requirement in 3.4.2

shanecoughlan commented 1 year ago

As per call 2023-10-17, take language from Licensing 2.1:

==

A program that is OpenChain conformant with this version of the specification shall last 18 months from the date conformance validation was obtained. The conformance validation registration procedure can be found on the OpenChain project's website.

3.6.2.1 - A document affirming the program meets all the requirements of this security specification, within the past 18 months of obtaining conformance validation.

==

ADJUSTED FOR BOTH SPECS with rationale that reference material (how to validate conformance) should be clearly non-prescriptive because it is a "how" item that may vary across industries:

==

A program that is OpenChain conformant with this version of the specification shall last 18 months from the date conformance validation was obtained.

3.6.2.1 - A document affirming the program meets all the requirements of this specification, within the past 18 months of obtaining conformance validation.

==

A CONSIDERATION item is whether we should we "A document affirming the program meets all the requirements of this specification, within the past 18 months of obtaining conformance validation." or "A document affirming the program meets all the requirements of this [security][licensing] specification, within the past 18 months of obtaining conformance validation." Perhaps the former is easier and clearer. Included in this revision for that reason.

A TODO item is to create better conformance validation information in the FAQ.

shanecoughlan commented 1 year ago

Adjustment due to numbering difference between Licensing and Security Spec. Security Spec will look as follows:

A program that is OpenChain conformant with this version of the specification shall last 18 months from the date conformance validation was obtained.

3.4.2.1 - A document affirming the program meets all the requirements of this specification, within the past 18 months of obtaining conformance validation.

shanecoughlan commented 1 year ago

Addressed here: https://github.com/OpenChain-Project/Security-Assurance-Specification/commit/ce6a6605322310a62452e9831f6882611dcb85d0