<div dir="ltr">Hi all,<div>We had identified <a href="https://github.com/openid/sse/issues/18">Issue #18</a> to provide feedback to the NIST publication referenced above<br><div>FYI, I have submitted the following feedback, and will close the above issue now:</div></div><div><span id="gmail-docs-internal-guid-e8f05fcc-7fff-6ff1-b101-fce2179b44e6"><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">In section 3.3 (Assumptions), there is no mention of any assumption of interoperability between products. A statement such as there is an expectation that products should eventually interoperate regardless of their vendor origin will help</span></p></li></ul><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">In section 4.1.2 (ZTA Supporting Components), under ICAM</span></p></li><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:circle;font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The bullet points for authentication and authorization management should be separated out. They are currently under one bullet on line 1703</span></p></li><li dir="ltr" style="list-style-type:circle;font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">There should be an additional bullet point for Continuous Access Evaluation, like similar bullet points under EDR/EPP and Security Analytics</span></p></li></ul><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Section 4.2.1 (Build-Specific Features) describes two builds. There should be a discussion on how individual vendors were chosen to be a part of a certain build. Were there any limitations of interoperability that caused this choice?</span></p></li><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Appendix D.2 (Build Architecture) defines certain flows such as “User Joins the Enterprise” (D.2.2.2) and “Message Flow for a Successful Resource Access Request” (D.2.4), but does not describe how the session management flows defined in the ZTA in Operation section (4.1.3) are achieved.</span></p></li><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Appendix F has the similar issue that it defines the access request flow (F.2.3), but does not address the session management flow defined in the “ZTA in Operation” section (4.1.3)</span></p></li></ul><div><font color="#000000" face="Arial"><span style="font-size:14.6667px;white-space:pre-wrap"><br></span></font></div><div><font color="#000000" face="arial, sans-serif"><span style="white-space:pre-wrap">The way to provide the feedback wasn't free form (I had to identify line numbers, etc.) so the actual text of the feedback is slightly different than my notes above.</span></font></div><div><font color="#000000" face="arial, sans-serif"><span style="white-space:pre-wrap"><br></span></font></div><div><font color="#000000" face="arial, sans-serif"><span style="white-space:pre-wrap">Atul</span></font></div></span></div></div>