[{"author": "Brendan Moran", "text": "

:wave:

", "time": "2024-03-20T03:00:41Z"}, {"author": "Alexey Melnikov", "text": "

https://notes.ietf.org/notes-ietf-119-iotops

", "time": "2024-03-20T03:02:59Z"}, {"author": "Christian Ams\u00fcss", "text": "

I'll help with the minutes as well.

", "time": "2024-03-20T03:04:02Z"}, {"author": "Alexey Melnikov", "text": "

Thank you Christian and Warren

", "time": "2024-03-20T03:04:38Z"}, {"author": "A.J. Stein", "text": "

So you need reviewers for draft-ietf-iotops-security-summary-01? I guess I can volunteer to force myself to read yet another document by my employer.

", "time": "2024-03-20T03:30:16Z"}, {"author": "Alexey Melnikov", "text": "

Yes, please!

", "time": "2024-03-20T03:34:20Z"}, {"author": "A.J. Stein", "text": "

Alexey Melnikov said:

\n
\n

Yes, please!

\n
\n

I do not have a lot of familiarity with the document but I need to read and understand the context because I am a little unclear at pointing to NIST 8529A which is basically a standard mapping to other standards more or less, but TBD and that's part of the impending review.

", "time": "2024-03-20T03:35:35Z"}, {"author": "A.J. Stein", "text": "

Whoa whoa, I never claimed to support intelligent reading.

", "time": "2024-03-20T03:39:52Z"}, {"author": "A.J. Stein", "text": "

Oh good Alexy assuaged my concerns. :smile:

", "time": "2024-03-20T03:40:05Z"}, {"author": "Brendan Moran", "text": "

:laughing:

", "time": "2024-03-20T03:40:05Z"}, {"author": "Brendan Moran", "text": "

The original intent of this draft was a best practices draft for making secure devices. The request was for it to be tilted towards a \"so you want this req, use this draft\" a-la carte menu.

", "time": "2024-03-20T03:40:45Z"}, {"author": "Alexey Melnikov", "text": "

We (IETF) don't want to promise that the mapping is correct. Certainly not in legal sense.

", "time": "2024-03-20T03:43:06Z"}, {"author": "A.J. Stein", "text": "

And then we get to the next slide on \"what does the baseline mean?\" and this is exactly the kind of question that gives me hives.

", "time": "2024-03-20T03:44:05Z"}, {"author": "A.J. Stein", "text": "

There are a few definitions from one of those parties you reference, but I would say of these semi-official defs baseline of control requirements is like a profile of a protocol spec in IETF by analogy (in my NIST experience). Reference, one of the terms in here:

\n

https://csrc.nist.gov/glossary/term/baseline

", "time": "2024-03-20T03:45:39Z"}, {"author": "Ira McDonald", "text": "

Tongue-in-cheek - from Palo Alto CSA yesterday
\n3/18/2024 https://csa-iot.org/newsroom/the-connectivity-standards-alliance-product-security-working-group-launches-the-iot-device-security-specification-1-0/

", "time": "2024-03-20T03:46:22Z"}, {"author": "Christian Ams\u00fcss", "text": "

@meetecho, please pivot to speaker

", "time": "2024-03-20T03:47:21Z"}, {"author": "Warren Kumari", "text": "

As a quick note: Christian is doing all the notes, I'm just getting in the way... :-)

", "time": "2024-03-20T03:47:33Z"}, {"author": "Christian Ams\u00fcss", "text": "

thx

", "time": "2024-03-20T03:47:42Z"}, {"author": "Brendan Moran", "text": "

So my specific complaint is that \"baseline\" means it should be a minimum, but all three documents provided only requirements, none of them provided any direction whatsoever on exceeding those requirements. this starts to sound like they are not, in fact, minima, but actually are fixed requirements.

", "time": "2024-03-20T03:49:40Z"}, {"author": "Brendan Moran", "text": "

I realise that NIST's definition of \"baseline\" does not say that it is a minimum, but the common use in English is \"a minimum or starting point for comparison\" which heavily implies that it should be possible to do better than the baseline.

", "time": "2024-03-20T03:54:24Z"}, {"author": "A.J. Stein", "text": "

Brendan Moran said:

\n
\n

I realise that NIST's definition of \"baseline\" does not say that it is a minimum, but the common use in English is \"a minimum or starting point for comparison\" which heavily implies that it should be possible to do better than the baseline.

\n
\n

I can completely relate to the problem. I am not sure I have a good metaphor the different profiles represent different respective minimum requirements and baselines. In NIST parlance, I have seen profile and baseline used interchangeably. I will see how I can help you constructively with this in a review. I don't like it or agree with it, but I can acknowledge the fun state of affairs. :laughing:

", "time": "2024-03-20T03:59:08Z"}, {"author": "Brendan Moran", "text": "

Thank you!

", "time": "2024-03-20T04:00:24Z"}, {"author": "Christian Ams\u00fcss", "text": "

The \"routers in virtualization tools\" item looks like one well addressable by mDNS proxying for which I think some solutions are around and would only need to be added to the containers.

", "time": "2024-03-20T04:06:21Z"}, {"author": "Matthew Gillmore", "text": "

+1 at Christian's comment

", "time": "2024-03-20T04:07:37Z"}, {"author": "Matthew Gillmore", "text": "

+1 to Michaels comment

", "time": "2024-03-20T04:10:46Z"}, {"author": "A.J. Stein", "text": "

Side note: Carsten: what slide technology are you using with Markdown to facilitate these slide deck pitch to I-D Markdown strategy?

", "time": "2024-03-20T04:15:18Z"}, {"author": "Carsten Bormann", "text": "

I'm using a commercial tool, deckset.com

", "time": "2024-03-20T04:15:36Z"}, {"author": "Warren Kumari", "text": "

Did Carsten say that the slides were made in Markdown? If so, what?

", "time": "2024-03-20T04:15:49Z"}, {"author": "Warren Kumari", "text": "

Oh.

", "time": "2024-03-20T04:15:51Z"}]