Adding an item/ requirement that just came up in the COMSEC meeting:
Some processes in the Security field require private spaces to do work with strict access control. Some examples that came up:
- Incident Response, where a security event has happened within Aux that needs to be worked through. This might include private information and/ or sensitive information like crypto keys
- Responsible disclosure for security vulnerabilities, where security researchers reach out to get issues resolved and updated with enough lead time, so that by the time the vulnerability gets publicized it is very likely that affected users have already updated their software.
Whichever software we are planning to use should support this use-case, ideally through RBAC (role based access control).