Roman Danyliw has entered the following ballot position for draft-ietf-opsawg-mud-acceptable-urls-11: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud-acceptable-urls/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I am balloting on this document from a GEN area perspective. ** Section 3.1 While there is an argument that old firmware was insecure and should be replaced, it is often the case that the upgrade process involves downtime, or can introduce risks due to needed evaluations not having been completed yet. As an example: moving vehicles (cars, airplanes, etc.) should not perform upgrades while in motion! It is probably undesirable to perform any upgrade to an airplane outside the service facility. A vehicle owner may desire only to perform software upgrades when they are at their residence. Should there be a problem, they could make alternate arrangements for transportation. This contrasts with an alternative situation where the vehicle is parked at, for instance, a remote cabin, and where an upgrade failure could cause a much greater inconvenience. The situation for upgrades of medical devices has even more considerations involving regulatory compliance. I’m having trouble understanding the examples provide and the associated analysis. Editorial recommendation: cut all the text after the first sentence. Otherwise: -- What does vehicles, aircraft and medical devices have to do with MUD? Is there existing and planned penetration of MUD in those markets? -- Per “While there is an argument that old firmware was insecure and should be replaced, it is often the case that the upgrade process involves downtime, or can introduce risks due to needed evaluations not having been completed yet. As an example, moving vehicles ...” Where does the suggestion that moving cyber-physical systems should upgrade their firmware in use come from? -- What is the basis for the claim that the regulatory compliance of medical devices is more considerations than say of aircraft? ** Reference [falsemalware] "False malware alerts cost organizations $1.27M annually, report says", 18 January 2020, <https://www.scmagazine.com/home/security-news/false- malware-alerts-cost-organizations-1-27m-annually-report- says/ and http://go.cyphort.com/Ponemon-Report-Page.html>. Pick a single URL. _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
