The compliance requirements have been drafted to ensure true security and accountability. However we recognize that some of the compliance requirements are quite onerous and could be a hindrance to TAS3 adoption in some low value situations. Therefore we define in this section a TAS3-Lite profile that can be used in low value situations as long as the risks are recongnized and the deployment is not misrepresented as fully TAS3 compliant. The TAS3-Lite relaxations are as follows:
CR24-File and CR25-Policy are dropped. Informal means should be used to achieve the same end result. Dropping these requirements seriously compromises the ability of the Trust Network and the Users to hold parties accountable.
CR214-CertSAML and CR215-CertIDWSF are dropped due to financial cost of the certification. Attending cheaper informal interop events is still highly recommended.
CR217-CertCert is dropped. Self-certification is allowed.
CR30-GA is dropped. Informal governance structure is allowed. The consequence of this is most likely that parties can not be held responsible in case of serious violations.
CR52-BPM is dropped. Informal modelling is still recommended.