Smith,
> On Sep 23, 2020, at 5:44 PM, Kennedy, Smith (Wireless & IPP Standards) via ipp <ipp at pwg.org> wrote:
> ...
> In contrast to the old process that used reasonably confidential submissions within the PWG website itself, this new process is completely out in the open.
Keep in mind that with the old process, the certification results were validated by a server-side program. Now that happens in the ippevesubmit program, which generates the public information that used to go in the server-side database driving the IPP Everywhere Printers page. So from a privacy/confidentiality perspective we've actually improved things - the self-certification plist files no longer leave the vendor's control. The new JSON file is just the list of devices (as provided by the vendor) with the corresponding subset of capability information listed in the self-certification manual.
> Printer vendors might want to reveal these only after they have been released to the public.
This hasn't changed since the 1.0 days, but I agree that we didn't really consider this beyond the vendor choosing when they submit the results, which can then be posted immediately on the public web site.
> Also, those that are submitting the test results might not want their identities to be made public.
Role accounts can be used on the vendor side to hide the exact identity of the submitter. All we care is that the vendor is a PWG member, and that we can show that the submitter's email address or Github account is associated with the member, e.g., "blablabla at hp.com".
> Speaking to the first issue, there is a question of trust: the PWG officer might be an employee of a different printer vendor. So doing early submissions really isn't an option unless it the submissions were held "in escrow" by some neutral third party. That starts to get over-engineered pretty quickly.
Yeah, I'd really prefer to not try to support an escrow process - if ippevesubmit says you passed, then the vendor can run the tests, confirm the results with ippevesubmit, and then proceed with using the logo in preparation for public release. Once the product(s) are announced the results can be submitted to the PWG for publication on our web site.
> The only resolution to these issues I can imagine would be:
>> 1. Change the submission process to submit to a different email address (e.g. ippeveselfcertsubmission at pwg.org) and make that a private reflector or a role-based email address
I don't see this as particularly solving potential confidentiality issues. Best to simply *not* submit the results until you want them made public.
> 2. State cleary on the page that the certification test reports will be processed ASAP, and cannot be held in escrow, so it is up to the submitter to submit them only once they have been released to the public to avoid pre-announcing products and annoying your company's marketing department.
I think this is currently implied by the process (once we receive the results we process them), there is just no explicit mention of a timeframe for the processing of the submission.
In 1.0 it was instant - everything happened on the web server and a public announcement went out once a week for any newly published entries.
For the new JSON/ippevesubmit process, somebody (me currently) needs to merge the two JSON files (the one on the web site with the submitted one) and post the update. This isn't onerous, it is just not instant... 🤷♂️
________________________
Michael Sweet