Writing Cardano Certification Levels Specifications

[RSoulatIOHK]

I open this issue to discuss of everything we think needs to be considered and done.

This is an open list of things I think we need to agree on:

• [ ] Title
• [ ] Format: CIP/External document?
• [ ] Scope: What should be inside the specifications?
  • [ ] Vulnerabilities to be checked?
  • [ ] Definitions of the levels?
  • [ ] Description of the documentation necessary?
  • [ ] Metrics to be reached?
  • [ ] Tool qualification?
  • [ ] Which kind of tools?
  • [ ] Evidence presentation?
  • [ ] Who can certify? Who cannot certify anymore?
• [ ] Process: How do we agree that a section/paragraph/requirement should be in the final document?
  • [ ] Review during a WG session?
  • [ ] Vote to the majority/super-majority/unanimous?
  • [ ] Who are the members that needs to vote?
  • [ ] How will we update the document?

I think we'll also need to promote that this work is being done so that we can get contributions from as many stakeholders as possible.

For reference: Checklist for DApp certification Proposal for a Caradano Threat Intelligence First vulnerabilities under the CTI template