Re: summary of informal PING working meeting last Friday...

Hi Frank,

I recall the discussions and the disagreements we had.

In my mail to Joe I explained two possible aspects and I am still not
sure whether we might actually not talk past each other.

Ciao
Hannes


On 03/11/2014 04:22 PM, Frank.Dawson@nokia.com wrote:
> Hei Hannes.
> 
> You and I have talked about this "commentary" on the style of the privacy review approach in RFC 6973. I have characterized it as an "ad hoc" approach compared to more "systematic" approach used in either a Privacy Impact Assessment or Risk Assessment methodologies. This was expressed by the RFC approach which lists some privacy principles and privacy breach categories but does not describe any process to apply these. In contrast, a PIA involves understanding use cases, data flows, interactors, principles to be supported, threats, privacy requirements and privacy safeguards/controls. 
> 
> A middle ground between these two methodologies would be a checklist approach, such as in "go-live" sign-off milestone reviews.
> 
> The PIA (or SPA) approach provides a more systematic process/method that needs to be flexible to the situation/specification under review, but attempts to be more holistic.
> 
> Frank/
> 
>> -----Original Message-----
>> From: ext Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net]
>> Sent: 11 March, 2014 08:01
>> To: Joseph Lorenzo Hall; public-privacy@w3.org
>> Cc: Runa Sandvik
>> Subject: Re: summary of informal PING working meeting last Friday...
>>
>>
>> On 03/11/2014 03:03 PM, Joseph Lorenzo Hall wrote:
>>> The guidelines in RFC 6973 are in no way systematic; they are probably
>>> better characterized as a point or one-time evaluation. They are meant
>>> to be a set of considerations that IETF specifications should respond
>>> to before Area Director review, and the AD can require specification
>>> editors to include text addressing those issues.
>>
>> Joe, could you explain your criticism regarding RFC 6973?
>>
>> Regarding the question about when to do the review RFC 6973 does not
>> mandate a specific style. In the IETF, as you know, reviews are done in all stages
>> of the document life-cycle (not only during IESG review).
> 
> 

Received on Tuesday, 11 March 2014 19:22:46 UTC