Stephen,
Nice job of collecting the vast number of comments during the session.
Some thoughts on a few of the notes:
- IPv6 + IPsec + RFC 6092 => IKE, ESP get in, could make
things better?
do we have any info on whether many CPE devices conform to most (all?)
of the recommendations in 6092?
Research topics, maybe for IAB w/s or IRTF?:
- problems handling security protocol failures (e.g. cert
expiry)
I don't see handling cert expiry as a research problem. it seems that
vendors
have decided that too many CAs are too sloppy re cert expiration and thus
products are lenient wrt expiration, which, of course, disrupts a possible
feedback loop ...
Actionable maybe, nothing done yet:
- maybe get servers (web) and CA people together to try
develop some usable certification protocols
what protocols do you think we are missing?
- IETF should go beyond legislative definitions of personal
data e.g. meta-data, define PII as privacy impacting
information
I disagree with this suggestion. PII is defined by law in several
jurisdictions. If we want to define privacy-related info, create a
new term, but don't start a fight over an existing, defined term
- (plenary) we should set the GAAP equivalent for
security and privacy
GAAP are defined by the IASB. Even though the IESG share several acronym
letters
and length, there are way too many differences to believe that they can
be the
source of an analogous set of principles. Also, many of the issues that
affect
security and privacy in the Internet are host/server issues that are
outside of
the protocol purview of the IETF.
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
