[Rats] Warren Kumari's Discuss on draft-ietf-rats-eat-21: (with DISCUSS and COMMENT)

[Warren Kumari via Datatracker <noreply@ietf.org>]

Warren Kumari has entered the following ballot position for
draft-ietf-rats-eat-21: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-rats-eat/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Be ye not afraid -- a DISCUSS ballot is a request to have a discussion --
https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ .

4: S 4.2.3.1. Random Number Based OEMID
"They would perform this only once in the life of the company to generate the
single ID for said company. They would use that same ID in every entity they
make. This uniquely identifies the OEM on a statistical basis and is large
enough should there be ten billion companies."

It is very unclear what exactly the "life of a company" is here. America Online
has been, variously: Control Video Corporation (1983–1985) Quantum Computer
Services (1985–1991) America Online (1991–2009) AOL Time Warner (2001–2009) AOL
(2009 - 2015) AOL, part of Verizon (2015 - now)

At what point(s) in this tangled web (if ever) should "AOL" have generated a
new "single SID"? Another example: "In April 2012, Facebook paid $1B for
Instagram, a photo and video sharing software." -- which "single" SID should
Facebook (whoops, Meta) used for Oculus headsets?


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I mostly have a few comments:
1: It would have been really nice to have an example at the beginning of the
document to help make this less abstract for the reader. Yes, there are
examples further into the document, and a reader unfamiliar with the technology
can always go look at one of those, but having a (very simple) example near the
top of the document would help greatly...

2: S 4.2.1.1. Rules for Creating UEIDs
For the IEEE EUI you say: "This uses the IEEE company identification
registry.", but for 0x03 IMEI all you say is "This is a 14-digit identifier
consisting of an 8-digit Type Allocation Code and a 6-digit serial number
allocated by the manufacturer". This doesn't say who actually assigns the TAC
-- I believe that it is GSMA.

3: S 4.2.3.1. Random Number Based OEMID
"The OEM MAY create their own ID by using a cryptographic-quality random number
generator." -- the use of uppercase MAY feels weird here, and I suggest that
you s/MAY/may.

4: Nit.
"Certain EAT claims can be used to track the owner of an entity and therefore,
implementations should consider providing privacy-preserving options dependent
on the intended usage of the EAT." The grammar here seems odd -- I'd suggest:
"Certain EAT claims can be used to track the owner of an entity; therefore,
implementations should consider providing privacy-preserving options dependent
on the intended usage of the EAT."