On Fri, 03 May 2002 06:57:45 PDT, todd glassey said: > real-world for you... Letting a technologist blindly develop a protocol that > is supposed to work in a commercial world is in my opinion more dangerous > that allowing the salesperson to design a protocol for the technical world > to solve > a problem that they are faced with on a daily basis. Especially as the IETF Find me a sales person who understands security well enough to do a better job than IPSec, and then we'll talk. Find me a sales person who understands routing issues well enough to do a better job than BGP, and then we'll talk. > TSG: But isn't the requirements document most of the design in most > instances? If you cant define the need then the protocol definition is > at best speculative and ambiguous. I never said that the sales people shouldn't be contributing the requirements. I said they shouldn't be designing the protocol. Over in Detroit, they design cars. They do a *LOT* of market research. Market research may say that 75% of people interested in a certain model car would be interested in a rear spoiler - but it would be quite negligent to let the market researchers decide what size bolts to use to attach it to the car, wouldn't it? > TSG: perhaps. But I am not clear that the IETF should produce anything other > than recommendations. That Internet Standards and anything > above an RFC is fodder for a more regimented and audited group. Anybody who thinks the IETF does anything other than recommend doesn't understand the IETF at all. > TSG: But who here in the IETF has done commercial security analysis or legal > analysis of what the use models for a Protocol does? Erm... Jeff, Steve - will you wave hello to the nice gentleman, and explain to him about the Security area within the IESG? ;) It may be informative to go read the list of authors of the RFCs that come out of that area, and ask yourself if your army of salespeople understands security better than they do..... You might also want to go read Bruce Schneier's "Secrets and Lies" and/or "Applied Cryptography", and learn why proprietary security solutions are rarely, if ever, secure. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
pgp00066.pgp
Description: PGP signature