Open mmccool opened 3 years ago
mmccool
commented
3 years ago Could start here by defining the contexts (which could be related to verticals in the use cases document, rather than redefining them). Since we want to relate this to use cases, I have labelled this under "Architecture" since it will relate to documents maintained by that TF.
mmccool
commented
2 years ago I recently added a PR to the S & P considerations of Architecture that try to resolve the quandary of when to use TLS and access controls, given that setting up TLS on a LAN is difficult at best.
This distinguishes between public and private networks (the former must always use TLS), and things with PII and immutable IDs and those without (only the latter can use nosec).
This covers the "contexts" of public vs private networks. Private networks could be broken down further into "personal use" (e.g. home) and "institutional" (e.g. campus, factory, business). In the latter we might want to say something stronger about use of TLS even if it is difficult to set up, but the assertion is basically still going to be "SHOULD" for both, so... but a "stronger" SHOULD for institutional (greater risk with more people potentially accessing the networks). Maybe I should add a statement about risk being assessed based on the value of the data being affected and the number of people with potential access.
Consider adding specific security and privacy guidelines for particular contexts and scenarios, e.g. connecting devices to a a smart home hub, setting up a public service in a smart city, etc. This should be closely related to the use cases we document in the upcoming use cases publication.