The draft supports both "internal-only subzone" configurations (where secret labels are under a non-sensitive label) and "mixed zone" configurations, where secret labels are mixed with public labels at the same level in the zone.
We might want to recommend the "subzone" configuration for new deployments, if only because it reduces the frequency of changes to the Verification Record.
tireddy2
commented
1 year ago
The draft supports both "internal-only subzone" configurations (where secret labels are under a non-sensitive label) and "mixed zone" configurations, where secret labels are mixed with public labels at the same level in the zone.
We might want to recommend the "subzone" configuration for new deployments, if only because it reduces the frequency of changes to the Verification Record.
Credit to @mcr