Linda, Thank you so much for casting your eyes over our document. Some thoughts in line... > I have reviewed this document as part of the SEC area directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the Security area directors. > Document editors and WG chairs should treat these comments just like any other > last-call comments > > Section 6, paragraph 4 highlights the customer's responsibility for end-to-end > security, even when utilizing secure network slices as a service provided by > their service providers. This raises several questions: > > - Does the document imply that customers should not trust the secure network > slices offered by service providers? Essentially, yes. No one should trust a security service that they cannot, themselves, verify. However, the text doesn't go quite that far. It says that the customer is responsible for ensuring the privacy and integrity of their traffic. If a customer chooses to do that by subscribing to a service that claims to provide the necessary measures, then the customer is free to do so. > - It might be beneficial for the document to specify criteria or guidelines > that customers can use to evaluate the security and integrity of secure network > slices as a service. Providing such criteria would help customers make informed > decisions and ensure they meet their security requirements. It might be, although that is probably way beyond the scope or competence of the authors. If pushed, I would say that no privacy or integrity service that cannot be independently verified by the customer can be trusted. Cheers, Adrian -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
