Re: [Raw] Roman Danyliw's Discuss on draft-ietf-raw-use-cases-08: (with DISCUSS and COMMENT)

[CARLOS JESUS BERNARDOS CANO <cjbc@it.uc3m.es>]

Thanks a lot John. Pretty useful summary.

We thought the approach DETNET followed for the security part was fine, but
we are happy to add some text per use case as suggested.

We are working on the next revision. Note that next week is tricky in Spain
(lot's of holidays, meaning the whole week is off for most of us), so it
might take a couple of weeks to converge and submit a new revision. Our
goal is to send it before the Xmas break. Hope this is OK.

Thanks!

Carlos

Thanks,

Carlos

On Thu, Dec 1, 2022 at 8:14 PM John Scudder <jgs@juniper.net> wrote:

> Hi All,
>
> > On Nov 29, 2022, at 5:46 PM, CARLOS JESUS BERNARDOS CANO <
> cjbc@it.uc3m.es> wrote:
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > Section 12 states the situation accurately – “Each of the potential RAW
> > use-cases will have security considerations from both the use-specific
> > perspective.”  Where are these security and privacy considerations for
> these
> > uses cases discussed?  Are these in scope to solve for RAW?  A select
> list to
> > review would be:
> >
> > ** Section 3.*. Per the amusement park use case, what are the physical
> location
> > tracking and surveillance considerations?
> >
> > ** Section 7.*.  Per the vehicle platooning use case, what are the
> physical
> > location tracking privacy considerations?
> >
> > ** Section 8.*. Per the edge robotics use case, what are the privacy
> > considerations of the video surveillance?
> >
> > ** Section 9.*.  Per the ambulance use case, what are the security
> > considerations around exchanging health care information over a wireless
> WAN?
> >
> > A clearer distinction of what is to be addressed at the protocol level,
> and
> > what seems like an application consideration is needed.
> >
> > [Carlos] This is a good point to clarify. We have followed the same
> approach as in the DETNET use cases document (RFC 8578). The RAW use cases
> document aims at documenting different use cases of interest for RAW, and
> documenting their demands in terms of rea liability and availability. The
> document does not go into the per-use case privacy and security
> considerations of potential future RAW solutions. As of today, the RAW WG
> is not chartered to work on solutions (it might be done in RAW or DETNET).
> We believe that the specific privacy and security considerations for the
> solutions would belong to a different document. Do you think we should be
> specific about this in the document? We borrowed some text from RFC 8578 to
> be consistent with the approach that DETNET followed.
>
> We talked about this at today’s IESG telechat. I thought I would take a
> stab at summarizing the points Roman made; I’m sure he will correct me if I
> get anything wrong. It was something like this:
>
> - Agreed that this document is use cases and not solutions.
> - The document presents use cases, described in prose in a fairly abstract
> way.
> - It is appropriate to talk about security+privacy *at the same level of
> abstraction* relative to the cases presented.
> - Meaning, just a sentence or two per use case probably.
> - Take the amusement park with armband doing human tracking case. It would
> be appropriate to briefly acknowledge this creates a consideration that
> will need to be worked out as part of a solution.
>
> I would add in my own words, that in the same way use cases exist to
> provide context for working on and evaluating a solution, it’s also helpful
> to identify (though not solve) any security and privacy considerations that
> a solution will foreseeably need to address.
>
> I hope this helps,
>
> —John