--- 1/draft-ietf-ace-usecases-08.txt	2015-10-07 14:15:05.239991394 -0700
+++ 2/draft-ietf-ace-usecases-09.txt	2015-10-07 14:15:05.299992844 -0700
@@ -5,21 +5,21 @@
 Expires: April 9, 2016                           Universitaet Bremen TZI
                                                              G. Selander
                                                                 Ericsson
                                                                  M. Mani
                                                                    Itron
                                                                 S. Kumar
                                                         Philips Research
                                                         October 07, 2015
 
                              ACE use cases
-                       draft-ietf-ace-usecases-08
+                       draft-ietf-ace-usecases-09
 
 Abstract
 
    Constrained devices are nodes with limited processing power, storage
    space and transmission capacities.  These devices in many cases do
    not provide user interfaces and are often intended to interact
    without human intervention.
 
    This document includes a collection of representative use cases for
    authentication and authorization in constrained environments.  These
@@ -1212,48 +1212,39 @@
 3.4.  Proxies
 
    In some cases, the traffic between endpoints might go through
    intermediary nodes (e.g. proxies, gateways).  This might affect the
    function or the security model of authentication and access control
    protocols e.g. end-to-end security between endpoints with DTLS might
    not be possible (see Section 2.5).
 
 4.  Privacy Considerations
 
-   Many of the devices that are in focus of this document register data
-   from the physical world (sensors) or affect processes in the physical
-   world (actuators), which may involve data or processes belonging to
-   individuals.  To make matters worse the sensor data may be recorded
-   continuously thus allowing to gather significant information about an
-   individual subject through the sensor readings.  Therefore privacy
-   protection is especially important, and Authentication and Access
-   control are important tools for this, since they make it possible to
-   control who gets access to private data.
-
-   Privacy protection can also be weighted in when evaluating the need
-   for end-to-end confidentiality, since otherwise intermediary nodes
-   will learn the content of potentially sensitive messages sent between
-   endpoints and thereby threaten the privacy of the individual that may
-   be subject of this data.
+   The constrained devices in focus of this document collect data from
+   the physical world via sensors or affect their surrounding via
+   actuators.  The collected and processed data often can be associated
+   with individuals.  Since sensor data may be collected and distributed
+   on a regular interval a significant amount of information about an
+   individual can be collected and used as input to learning algorithms
+   as part of big data analysis and used in an automated decision making
+   process.
 
-   In some cases, even the possession of a certain type of device can be
-   confidential, e.g. individuals might not want to others to know that
-   they are wearing a certain medical device (see Section 2.3).
+   Offering privacy protection for individuals is important to guarantee
+   that only authorized entities are allowed to access collected data
+   and to trigger actions, to obtain consent prior to the sharing of
+   data, and to deal with other privacy-related threats outlined in RFC
+   6973.
 
-   The personal health monitoring use case (see Section 2.3) indicates
-   the need for secure audit logs which impose specific requirements on
-   a solution.
-   Auditing is not in the scope of ACE.  However, if an authorization
-   solution provides means for audit logs, it must consider the impact
-   of logged data for the privacy of all parties involved.  Suitable
-   measures for protecting and purging the logs must be taken during
-   operation, maintenance and decommissioning of the device.
+   RFC 6973 was written as guidance for engineers designing technical
+   solutions.  For a short description about the deployment-related
+   aspects of privacy and further references relevant for the Internet
+   of Things sector please read Section 7 of RFC 7452.
 
 5.  Acknowledgments
 
    The authors would like to thank Olaf Bergmann, Sumit Singhal, John
    Mattson, Mohit Sethi, Carsten Bormann, Martin Murillo, Corinna
    Schmitt, Hannes Tschofenig, Erik Wahlstroem, Andreas Baeckman, Samuel
    Erdtman, Steve Moore, Thomas Hardjono, Kepeng Li, Jim Schaad,
    Prashant Jhingran, Kathleen Moriarty, and Sean Turner for reviewing
    and/or contributing to the document.  Also, thanks to Markus Becker,
    Thomas Poetsch and Koojana Kuladinithi for their input on the