Re: [sacm] WGLC for draft-ietf-sacm-ecp
Adam Montville <adam.montville.sdo@gmail.com> Fri, 12 July 2019 15:27 UTC
Return-Path: <adam.montville.sdo@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F3A41201D3 for <sacm@ietfa.amsl.com>; Fri, 12 Jul 2019 08:27:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.298
X-Spam-Level:
X-Spam-Status: No, score=0.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xH6nXF-3rzp8 for <sacm@ietfa.amsl.com>; Fri, 12 Jul 2019 08:27:37 -0700 (PDT)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD7931201CB for <sacm@ietf.org>; Fri, 12 Jul 2019 08:27:37 -0700 (PDT)
Received: by mail-oi1-x235.google.com with SMTP id w196so7559736oie.7 for <sacm@ietf.org>; Fri, 12 Jul 2019 08:27:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=HSTNTT8aZe6WsGWq89/8DaUua1vQfNQH2qYaFyFZSac=; b=H0YBpv6JYsH+qOK2vuq5kH/yJze2q+UveEBD5RmSC3cC5G17SA9CZDqw9JPPN+gTAX 07Q7gBE/bQWzdQ4CxtWBFkDMasDiE32IFYWStIKGmWowZql/C2PtTpDP+ZpdZNsRLsQH PFLQFVeFfIVQ9gljBDFW/pdsiMGvi6CJn0zqs5XqSkCcEx7yhJRfmkxY/BZQzMzDuPHT wyASKMEGw9FHLTshqRBXKMP8ll3GdHALnKei+0ho5lLFDAH/CRV7R0JGD8CwRNJwsTks /chI/E5pOoIKYiB8Ck9kB3EgPvQDjhnL15upMf/2a/CklUaG9ucO1JNAqt0C0lmjkNBC Xqng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=HSTNTT8aZe6WsGWq89/8DaUua1vQfNQH2qYaFyFZSac=; b=g/sk11R0zXWtZTaKJAHGS9N9Ye+fEou7oDE3dHUjIJjdUGsVhv+dTp7VflVYwExE6j YuCUQaKSK/uWtst0kzUPn+c022JVcKVCb/Bx9R6EK2NrOylMMGfKCc6IbyY+LxwHYNjm cvmwMuwgp+PocGsVHC+ME6TvmoopDDODYYd29ta6BrlSgSemcsC31V0/SvK3KPd1cvSA d1/bJqzQnCQcMulapq+qKgC4Vnj2RiN5rTtxReSguBx8Gg+LylgLBSpnEGLbVcWrk9w8 z7Qwr1UjdF/gzH3oexKGJx+1Ppgb3/4DHmwAaLFq+ogdqyR/QG9cAx0MVp9FmnP61Uln IEGQ==
X-Gm-Message-State: APjAAAW99vWt9c81Gsa1crT+8QbW99DNYnzzLMmnf5KWyaiRLffpezWr k8khcN3likUV5nIwlnuTJNY=
X-Google-Smtp-Source: APXvYqyHGx5G9tJWsXfaqxjg2OaRJAQl9vZkue21rTjFbS/gCESpvKqI2N076srErcYXX+63j4/BxA==
X-Received: by 2002:aca:b208:: with SMTP id b8mr6700032oif.98.1562945256963; Fri, 12 Jul 2019 08:27:36 -0700 (PDT)
Received: from imac.lan (cpe-70-121-86-117.austin.res.rr.com. [70.121.86.117]) by smtp.gmail.com with ESMTPSA id l24sm2930250oil.42.2019.07.12.08.27.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Jul 2019 08:27:36 -0700 (PDT)
From: Adam Montville <adam.montville.sdo@gmail.com>
Message-Id: <2EA14938-0D78-4BDE-8296-0503B8F08435@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FE8A08DD-46E3-41B4-855C-EC5733C1E28D"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 12 Jul 2019 10:27:35 -0500
In-Reply-To: <CAN40gStnjDOxSNJ8e3+kNwzB8N7z7KD79qqnEexKx9OgPaW8iw@mail.gmail.com>
Cc: Karen O'Donoghue <odonoghue@isoc.org>, Jessica Fitzgerald-McKay <jmfmckay@gmail.com>, "sacm@ietf.org" <sacm@ietf.org>
To: Ira McDonald <blueroofmusic@gmail.com>
References: <5B73FDDD-680A-4596-99FA-920B0776D862@isoc.org> <CAN40gStnjDOxSNJ8e3+kNwzB8N7z7KD79qqnEexKx9OgPaW8iw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/1Tr03eND4pXsaUjYhAYJALYIEpY>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-ecp
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 15:27:40 -0000
Hello all: I agree with Ira’s comments and I see EPCP as one of many potential collection architectures that may exist within the wider SACM architecture. Therefore, I believe this draft is ready for publication. Kind regards, Adam > On Jul 2, 2019, at 11:07 AM, Ira McDonald <blueroofmusic@gmail.com> wrote: > > Hi, > > Ira's comments on <draft-ietf-sacm-ecp-05> > > 3.2.1. Provisioning > > - Describes one-time setup examples of serial numbers (immutable), > hardware certificates (long-lived), and device MAC addresses, which > are NOT immutable and *should* be changing for Random MAC address > usage over time, per recent IEEE 1609 (WAVE), IEEE 802.11 (Wi-Fi), > and Common Criteria protection profile recommendations. > > - Recommend removing the MAC address example from this clause. > > 6. Future Work > > "Reassess the use of MAC addresses, including market research to > determine if MAC addresses continue to be a widely implemented > device identifier among network tools." > > - Market research showing the continued unwise use of fixed MAC > addresses in Enterprise networks is not a valid criteria. This is > one of many bad security practices that are hard to stamp out. > > - Recommend changing to: > "Reassess the use of MAC addresses, based on technical research > into current security best practices in IoT, automotive, mobile, > and other privacy sensitive market domains." > > 10. Privacy Considerations > > "The EPCP specifically addresses the collection of posture data from > enterprise endpoints by an enterprise network. As such, privacy is > not going to often arise as a concern for those deploying this > solution." > > - Stongly disagree. If enterprise (or cloud) servers with endpoint > posture metadata are successfully hacked (they're an attractive target), > then major privacy issues arise with location/time-of-day association > with PII for mobile users. In the EU, GDPR protections definitely do > apply to enterprise networks. > > - Recommend changing to: > > "The EPCP specifically addresses the collection of posture data from > enterprise endpoints by an enterprise network. As such, privacy is > a fundamental concern for those deploying this ECP solution, given > EU GDPR, California CCPA, and many other privacy regulations. The > enterprise SHOULD implement and enforce their duty of care." > > "An enterprise network should limit access to endpoint posture and > identification information to authorized users." > > - Very weak statement. Potentially large number of network admins and > IT support people may have access to endpoint posture metadata. They > should always have training about the importance of protecting this > endpoint posture metadata. > > - Recommend changing to: > > "An enterprise network SHOULD limit access to endpoint posture and > identification information to authorized users and SHOULD enforce > policies that prevent export of endpoint posture metadata to third > parties (except duly authorized law enforcement personnel)." > > > Cheers, > - Ira > > Ira McDonald (Musician / Software Architect) > Co-Chair - TCG Trusted Mobility Solutions WG > Co-Chair - TCG Metadata Access Protocol SG > Chair - Linux Foundation Open Printing WG > Secretary - IEEE-ISTO Printer Working Group > Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG > IETF Designated Expert - IPP & Printer MIB > Blue Roof Music / High North Inc > http://sites.google.com/site/blueroofmusic <http://sites.google.com/site/blueroofmusic> > http://sites.google.com/site/highnorthinc <http://sites.google.com/site/highnorthinc> > mailto: blueroofmusic@gmail.com <mailto:blueroofmusic@gmail.com> > PO Box 221 Grand Marais, MI 49839 906-494-2434 > > > > On Thu, Jun 27, 2019 at 4:34 PM Karen O'Donoghue <odonoghue@isoc.org <mailto:odonoghue@isoc.org>> wrote: > Folks, > > As discussed at our virtual interim on Tuesday, this begins a three week working group last call for: > Endpoint Posture Collection Profile > https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/ <https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/> > > Please reply to this email thread with an indication that you have read the document, any comments you may have, and your assessment of whether or not it is ready to proceed to publication. > > DEADLINE: Please reply by Friday 19 July 2019. > > Thanks! > Karen and Chris > > _______________________________________________ > sacm mailing list > sacm@ietf.org <mailto:sacm@ietf.org> > https://www.ietf.org/mailman/listinfo/sacm <https://www.ietf.org/mailman/listinfo/sacm> > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm
- [sacm] WGLC for draft-ietf-sacm-ecp Karen O'Donoghue
- Re: [sacm] WGLC for draft-ietf-sacm-ecp Ira McDonald
- Re: [sacm] WGLC for draft-ietf-sacm-ecp Adam Montville
- [sacm] REMINDER: WGLC for draft-ietf-sacm-ecp Karen O'Donoghue
- Re: [sacm] WGLC for draft-ietf-sacm-ecp Jessica Fitzgerald-McKay
- Re: [sacm] WGLC for draft-ietf-sacm-ecp Jessica Fitzgerald-McKay
- Re: [sacm] WGLC for draft-ietf-sacm-ecp Ira McDonald
- Re: [sacm] REMINDER: WGLC for draft-ietf-sacm-ecp Henk Birkholz