Hi Nancy,
At 12:29 14-01-2013, Nancy Cam-Winget (ncamwing) wrote:
[NCW] I can change it to a lower case "must", ok?
That's ok.
[NCW] We can move the reference to be normative.
Ok.
[NCW] I don't think there are specifically for PT-EAP. The sections you
reference
Were to (in section 6) addressing the general EAP identity as PT-EAP is
really not
An "authentication" method.
If I understood the above correctly PT-EAP does not transport any
information which could be used to identify an individual. That's
different from PT-EAP not being an "authenticated" method. Therefore,
there isn't much to say in terms of privacy considerations.
I suggest not including the following then:
"As a transport protocol, PT-EAP does not directly utilize or
require direct knowledge of any personally identifiable
information (PII)."
The draft can leverage the second paragraph of Section 6 as "privacy
considerations" instead of making a statement about PII. I'll copy
this message to ietf-privacy@ to get a better opinion.
In Section 6:
"Therefore, it is important for deployers to leverage these
protections in order to prevent disclosure of PII potentially
contained within PA-TNC or PB-TNC within the PT-EAP payload."
I suggest "information about an individual" instead of PII [1].
Regards,
-sm
1. I used the wording from draft-iab-privacy-considerations-06