Christer, Many thanks for your review! Inline: > Section 6.1. says: > > "The URNs generated according to the rules defined in this document > result in long-term stable unique identifiers for the devices." > > - What are those rules? > > In Section 3.3 I do see the following statement: > > "The DEV URN type SHOULD only be used for persistent identifiers, such > as hardware-based identifiers or cryptographic identifiers based on > keys intended for long-term usage." > > Is that what you refer to as rules? Or, have I missed something? > > Also, to me the statement seems like an important applicability statement for > DEV URNs. If so, should there be a separate Applicability (or similar) section > earlier in the document, which points it out? I think we created confusion with the way that the 6.1 sentence was formulated. There’s no specific rules; we were just trying to refer to the use of DEV URNs, and make the point that if you keep sending your MAC address in some protocol, it may actually create a privacy problem as others may be able to track you based on that identity (among others). We were also not trying to make any new applicability statement in the security considerations, beyond what was already said earlier in the document. I have reformulated the text, it now reads: DEV URNs often represent long-term stable unique identifiers for devices. Such identifiers may have privacy and security implications because they may enable correlating information about a specific device over a long period of time, location tracking, and device specific vulnerability exploitation [RFC7721]. Does this clarify the issue? The full new version with other changes is at https://arkko.com/ietf/core/draft-ietf-core-dev-urn-from--08.diff.html > Section 3.1. says: > > "The DEV URNs identify devices with device-specific identifiers such as network > card hardware addresses." > > - Can there be multiple DEV URNs associated with a single device? Yes. Section 3.3. says this now in the new version: And of course, a single device may (and often does) have multiple identifiers, e.g,. identifiers associated with different link technologies it supports. > Section 3.1. says: > > "DEV URN is global in scope." > > - What does that actually mean? See RFC 8141 S6.4.1 item 2; we’re requested to specify the scope of the applicability, and it is not e.g. a single nation of company. But I changed the text to read: DEV URNs are scoped to be globally applicable (see [RFC8141] Section 6.4.1) and enable systems to use these identifiers from multiple sources in an interoperable manner. > In the Introduction, SenML and RD are given as examples where the URN may be > useful. It would be nice to exactly see some usage examples of the URN. Section > 5 only contains examples of the URN itself. That would be good, thanks for the suggestion. I added one example. Jari -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
