Endpoint Security Posture Assessment: Enterprise Use Cases
RFC 7632

Note: This ballot was opened for revision 08 and is now closed.

(Kathleen Moriarty) Yes

(Jari Arkko) No Objection

(Alia Atlas) No Objection

(Deborah Brungard) No Objection

(Ben Campbell) No Objection

(Stephen Farrell) No Objection

Comment (2015-04-08 for -09)
No email
send info
- general: there seems to be no mention or consideration at
all of privacy which I think is a significant flaw in this
document. However, so long as privacy issues are considered in
later documents, that's not a problem. It would be a problem
if privacy were similarly ignored later on. As an example of
why this matters, enterprises will have to adhere to privacy
legislation in various jurisdictions which would for example
introduce a data controller as a relevant entity to be
considered (and that is not considered here). Once one
collects e.g. log information about authentication times and
locations then I suspect you need a data controller and you
might have to delete that data or anonymise it or do other
privacy friendly things with or to such data. I think for now,
adding a statement that later documents will have to consider
the privacy issues associated with these use cases would be a
good idea that would be sufficient to ensure that it's not
forgotten. Note: I do think it would be preferable if someone
had (or still would) spend time on an analysis of the possible
privacy considerations of some of these use-cases. I suspect
those aren't as bad as may be feared and could perhaps be
relatively easily covered in a few paragraphs, once that work
has been done. (If doing that, please do not only consider the
typical US private enterprise network scenario - those in
other parts of the world and in non-profit or public service
can differ significantly in privacy terms.)

- 2.2.5 - I've been to places like that for research purposes
(as stipulated here) and this use-case seems unrealistic to
me.

- section 4: I think you might end up need to consider the
confidentiality and origin authentication of some of the data
at rest as well as in transit. That could get tricky, but
OTOH, if you have any conception of provenance and of privacy
then it's likely to be needed. I'd say just adding a sentence
here to recognise that that can also be an issue would be
enough.

- The secdir review [1] noted a bunch of nits. I didn't
check if those have been fixed or not, but seems like
a good idea.

   [1] https://www.ietf.org/mail-archive/web/secdir/current/msg05536.html

(Joel Jaeggli) No Objection

(Terry Manderson) No Objection

Alvaro Retana No Objection