Michael Richardson wrote: > I imagine the manufacturer initially says: > Device FOO with Version BAR is believed to be safe on open > Internet at date BAZ. I'd like to have the legal department that lets that statement pass... > then they say: > Device FOO with Version BAR is known to be unsafe on open > Internet as of date BAZ, but is safe with ports X,Y,Z blocked. More likely. But the device knows nothing about that. The device does know what software runs on it. Making that information available in the constrained space in such a way that security automation can act on it is one of our immediate objectives. (I'll probably talk briefly about this in next week's T2TRG meeting, in the context of managing "unmanaged" networks. With luck, we'll have a draft for Buenos Aires.) Grüße, Carsten