Certification Conformance Testing Disclosure and Reporting Policy


OpenID Foundation
Certification Conformance Testing
Disclosure and Reporting Policy

 

PURPOSE

This Certification Conformance Testing Disclosure and Reporting Policy (“Policy“) sets forth the rules and requirements that govern the disclosure and reporting by the OpenID Foundation (“OIDF”) of the identity of, and the results achieved by, individuals and entities that use OIDF conformance testing software and related services (“Testing Services”).

APPLICABILITY

This Policy applies to all OIDF employees and consultants involved in providing Testing Services, and all individuals, entities, organizations, and government agencies (whether OIDF Member or non-member) that utilize the OIDF Testing Services (“Testing Entities”) or that seek reporting of test results.

POLICY

1. Collection of Testing Data

Whenever a Testing Entity uses the OIDF Testing Services to test its deployment of a product or service, or to verify that its deployment conforms to one or more specific conformance profiles of an OpenID specification or protocol, OIDF obtains and collects data containing the identity of such Testing Entity, the results of each conformance test conducted by such Testing Entity, and the status of such identified Testing Entity’s progress through the conformance test suite up to and including self-certification (“Testing Data”). Such Test Data is used by the OIDF consultants responsible for operating, maintaining, and improving the applicable Testing Services, and for providing support to the Testing Entity as it works through the self-certification tests (the “OIDF Certification Team”)

2. Availability of Testing Data to Testing Entity

OIDF provides transparency to each Testing Entity with regard to their Testing Data, which is always fully available to them via the conformance test suite interface. Except as provided in this Policy, such Testing Data is not otherwise disclosed by OIDF to any third party in a manner that would identify or be relatable to the Testing Entity.

3. Availability of Testing Data to Managing Entity in Sector-Wide Implementations

This Section applies where a Testing Entity is a participant in a regulated business sector (e.g., banking sector, insurance sector, securities sector, etc.) that is leveraging the OIDF Testing Services and certification capabilities as part of a required sector-wide implementation, and such implementation is governed and or managed by a legally appointed managing entity (“Managing Entity”).

In such case, transparency and monitoring of Testing Entity progress is often important to the success of the sector-wide implementation. Thus, to accommodate the need for such monitoring, the Managing Entity may request that OIDF provide Testing Data on the Testing Entities in one of two ways:

3.1 Aggregated Generic Progress Reporting

Upon request, OIDF will provide the applicable Managing Entity with periodic sector-wide aggregated and de-identified reporting of sector participant Testing Data (“Aggregated Generic Progress Reports”). Such Aggregated Generic Progress Reports will consist of the following information for each relevant date: total number of Testing Entities performing tests, total number of tests performed, and total number of tests passed and total failed.  No information will be provided regarding any specific identified Testing Entity or implementation. These Aggregated Generic Progress Reports are only made available to the Managing Entity and will not be disclosed to the public by OIDF. At the point that an individual Testing Entity’s self-certification submission is accepted by OIDF, the certification status for that Testing Entity is made public on the OIDF website and the Managing Entity will also be informed (directly by OIDF or via visiting the OIDF website).

3.2 Detailed Entity & Implementation System Reporting with Consent

Where the Managing Entity requires more detailed Testing Data identified by Testing Entity, OIDF will provide such Data only for Testing Entities that provide express consent for such reporting by confirming a written agreement authorizing the reporting of its identified Testing Data to the Managing Entity. The process for obtaining such consent shall be as follows:

  • The Managing Entity shall provide OIDF with the name of all prospective Testing Entities to be subject to such reporting, and contact information (including email) of a person authorized to provide such consent at each such prospective Testing Entity;
  • OIDF shall send each such contact person an email, with a copy to the Managing Entity, containing —
  • Notification of the Managing Entity’s request for detailed identified reporting regarding the Testing Entity,
  • The text of the consent agreement authorizing such reporting,
  • A unique identifier code (“Identifier”) to be used by the Testing Entity when testing, to authorize and facilitate such reporting, and
  • Clear instructions that use of this Identifier by the Testing Entity constitutes its agreement and consent for OIDF to share both its identity and its Testing Data with the Managing Entity.

OIDF will provide Managing Entity with detailed Testing Data only for those Testing Entities that provide their consent to such reporting by including their Identifier. The Testing Data reported to the Managing Entity for each such consenting Testing Entity will consist of the following information:  Testing Entity performing the tests, implementations being tested by the Testing Entity, and specific pass/fail results for each specification of the profiles being tested (“Identifiable Testing Entity Reports”).

Identifiable Testing Entity Reports are only shared with the Managing Entity and will not be disclosed to the public by OIDF.

If a Testing Entity does not indicate its consent for the reporting by using the unique Identifier, then its Testing Data will not be reported to the Managing Entity. However, failure to use the unique Identifier in the alias will not affect the Testing Entity’s ability to qualify for self-certification per the standard OpenID Foundation policies and procedures for self-certification.

For avoidance of doubt, all other Testing Entity users of the Test Services and certification capabilities are not reported to third party sector Managing Entities, and their testing progress remains confidential.

The sector-wide reporting functionality, whether generic or implementation/entity level, has been developed to help OIDF achieve its mission which is to “Lead the global community in creating identity standards that are secure, interoperable, and privacy preserving.”  Working in partnership with our members and ecosystem participants to offer this transparency is important to ensuring the best outcomes for people in that market, and all the ecosystem participants. In this context the OpenID Foundation offers its service in a manner that supports local ecosystem managing entities and their participants, but OIDF is not responsible for governance of the sector, a responsibility that sits solely with the sector managing entity.