On Tue, Jan 14, 2014 at 4:45 PM, Fred Baker (fred) <fred@xxxxxxxxx> wrote: > So the question in the shepherd's report should not be "tell me you thought about the EU Data Retention Initiative and whether your protocol's data identifies an individual". It should be "what personal, equipment, or session identifiers, encrypted or otherwise, are carried in your protocol? How might they be correlated with offline data or otherwise used to infer the identity or behavior of an individual?" The main problem is that: privacy issues are deeper than that, the question could be misunderstood without a larger context, and there's already a set of documents discussing most of that larger context (RFC 6973, the perpass problem statement draft, etc.). The Document Shepherd Write-Up currently doesn't reference security guidelines directly. Instead of asking a few specific questions in the shepherd's writeup as you suggest, consider adding the privacy/perpass docs to BCP 72 (which already includes RFC 3552) as they are approved, and then optionally add a question to the shepherd's writeup that refers to it, in order to emphasize the increased attention to the issue. Scott