FW: ACTION-660: Input to BP2, on Security and Privacy

Hi all,

This is one of a series of emails addressing ACTION-660. This thread
will address the requirements and recommendations for Security and
Privacy in BP2.

Here is the current editor's draft text in the Requirements and Best
Practice Statements sections:
+++++
2.2 Security and privacy
Security is important to address in the mobile environment, due to more
frequent dependence upon personalized information. While this
information is essential to increasing service value, its use represents
a security and/or privacy risk. The overall goal for security is to
protect any personally identifiable information, and especially user
identifiers or keys to user identity.

5.2 Security and privacy
Personally identifiable information (e.g. user identity or information
usable as a key to user identity) should be accepted or sent securely,
i.e. over secure transport (HTTPS), or securely hashed if sent over
non-secure transport.
+++++

[bryan] This recommendation addresses the basic ability to protect user
personally identifiable information. It can be considered the root of
privacy protections generally, enabling primarily the confidentiality
and integrity of information. Note that given confidentiality and
integrity in transit, the "trust" in the source (or authenticity) of the
information is a different aspect, which we might address, but is more
difficult as trust depends upon larger issues which are not as easily
verifiable as confidentiality and integrity. We welcome suggestions for
other recommendations in this area.

Best regards,
Bryan Sullivan | AT&T

Received on Thursday, 14 February 2008 22:15:16 UTC