[OPSAWG] Roman Danyliw's No Objection on draft-ietf-opsawg-mud-acceptable-urls-11: (with COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Wed, 03 April 2024 02:20 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: opsawg@ietf.org
Delivered-To: opsawg@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 68855C14F61E; Tue, 2 Apr 2024 19:20:00 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsawg-mud-acceptable-urls@ietf.org, opsawg-chairs@ietf.org, opsawg@ietf.org, henk.birkholz@ietf.contact, henk.birkholz@sit.fraunhofer.de
X-Test-IDTracker: no
X-IETF-IDTracker: 12.9.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <171211080041.52998.16538712754663513072@ietfa.amsl.com>
Date: Tue, 02 Apr 2024 19:20:00 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/vUTiASvgh4vAJf4lhq_JrjK7xM8>
Subject: [OPSAWG] Roman Danyliw's No Objection on draft-ietf-opsawg-mud-acceptable-urls-11: (with COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 02:20:00 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-opsawg-mud-acceptable-urls-11: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud-acceptable-urls/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I am balloting on this document from a GEN area perspective. ** Section 3.1 While there is an argument that old firmware was insecure and should be replaced, it is often the case that the upgrade process involves downtime, or can introduce risks due to needed evaluations not having been completed yet. As an example: moving vehicles (cars, airplanes, etc.) should not perform upgrades while in motion! It is probably undesirable to perform any upgrade to an airplane outside the service facility. A vehicle owner may desire only to perform software upgrades when they are at their residence. Should there be a problem, they could make alternate arrangements for transportation. This contrasts with an alternative situation where the vehicle is parked at, for instance, a remote cabin, and where an upgrade failure could cause a much greater inconvenience. The situation for upgrades of medical devices has even more considerations involving regulatory compliance. I’m having trouble understanding the examples provide and the associated analysis. Editorial recommendation: cut all the text after the first sentence. Otherwise: -- What does vehicles, aircraft and medical devices have to do with MUD? Is there existing and planned penetration of MUD in those markets? -- Per “While there is an argument that old firmware was insecure and should be replaced, it is often the case that the upgrade process involves downtime, or can introduce risks due to needed evaluations not having been completed yet. As an example, moving vehicles ...” Where does the suggestion that moving cyber-physical systems should upgrade their firmware in use come from? -- What is the basis for the claim that the regulatory compliance of medical devices is more considerations than say of aircraft? ** Reference [falsemalware] "False malware alerts cost organizations $1.27M annually, report says", 18 January 2020, <https://www.scmagazine.com/home/security-news/false- malware-alerts-cost-organizations-1-27m-annually-report- says/ and http://go.cyphort.com/Ponemon-Report-Page.html>. Pick a single URL.
- [OPSAWG] Roman Danyliw's No Objection on draft-ie… Roman Danyliw via Datatracker
- Re: [OPSAWG] Roman Danyliw's No Objection on draf… Michael Richardson