Comments on Primelife requirements document

Hi All,
As discussed on the call, I am sending round my comments on the Primelife requirements doc:

1. In general, document is excellent - since it does not fall into the trap of mixing up requirements and solutions.
2. Need for modularisation - a policy language which satisfies all those requirements is going to be too complex to use.
3. For Social Networks, suggest including sub-case of accessing statistics on who has browsed my profile. E.g. x spends 1/2 an hr looking at pictures of y's girlfriend on her SN profile - does y or the girlfriend get this information?
4. For Social Networks, include policies based on reputation - e.g. you can see field x of my profile if you have a certain reputation.
5. For Social Networks, consider including a requirement for security features of destination e.g. encrypted transfer of profile data with scheme x.
6. Anonymous credentials use-case is actually about a solution - suggest deriving the requirements related to anonymous credentials from the other use-cases.
7. Not sure what the relevance of section on corporate security policies. Is it related to Trust Policies? If so, this should be clarified...



Giles Hogben
Network Security Policy Expert
European Network & Information Security Agency ( ENISA ) 
Tel: +30 2810 391892 
Fax: +30 2810 39000

Received on Wednesday, 11 February 2009 13:57:01 UTC