Re: The business of OpenChain certifications


Hi Dirk

Self-certification is not an interim step. It is and always will be at the core of the project. In over five years in market it has proven to be an effective and efficient method of promoting better compliance. We have yet to have a reported case of misrepresentation in this space. Naturally, if such a case occurred in the future, we would address. We have several measures to do so, including but not limited to our trademarks.

Regarding TUV SÜD specifically, the certification business has moved to Japan. Asai San in that office is in charge, and I am happy to make an introduction as useful. The Japan and Korea offices are currently talking with clients.

More broadly, as Marcel pointed out, there are reputable certifiers and auditors in play. We expect to build and announce further relationships in this space throughout 2021. The key measure for effective engagement beyond their individual reputation is their participation in the OpenChain Partner Program. This ensures their application has been vetted by our governing board.

Even more broadly, with ISO 5230 gaining traction in procurement, we expect to see an uptick in both independent assessment (similar to ISO 26262, and already provided by law firms and services providers in our eco-system), alongside full third party certification by organizations like PwC and TUV SÜD.



On Feb 21, 2021, at 19:51, Dirk Riehle <dirk@...> wrote:

Hi all,

I assume that the short-term business value of having an OpenChain certification (as a company) is that you can promise your customers lower open source compliance costs. Longer-term I assume the OpenChain (or a comparable one) certification to be a must-have.

Which begs the question where we are on the business of certifications in general. I assume that the self-certification was only an intermediate step and that there should be full blown certifications like the one by TUEV Sued.

When I last looked into how certifications work (ten years ago), there had to be three separate entities to turn this into a viable business:

1. Curriculum designers (those who determine the content)
2. Trainers / consultants who get customers in shape
3. The certification agency and its mark (e.g. TUEV or UL or ...)

I believe this working group is 1. for any OpenChain derived certification marks. Trainers / consultants 2. are plenty, including yours truly.

The missing part seem to be the certification agencies (and their assessors). The people who drove forward the TUEV certification mark have left; not sure much is going on there. Any other agencies?

I'd be curious how the certification agencies establish believable marks. I assume that there will never by a generic (LF) OpenChain certification mark, only TUEV or UL marks. For this, the certification agencies need to set up their assessment program.

I can't find it, but I thought there was an ISO standard on how to set-up certification agencies (i.e. how to get certified as an agency that can issue high-quality marks). Does this apply or can anyone (Joe's Waffle House) create a mark as long as they have the marketing dollars to make customers believe the mark means something?

Cheers, Dirk

Confused about open source?
Get clarity through
Website: - Twitter: @dirkriehle
Ph (DE): +49-157-8153-4150 - Ph (US): +1-650-450-8550

Join to automatically receive all group messages.