In operations that need decision-making in the (near) realtime, policy framework is a good input. For that, the OSS can efficiently use the policy framework if it is itself policy based. Examples of QoS and NMS are common. However "Security" seems just as strong a candidate (if not stronger) for a Policy Based framework. Application of RFC 3060 to the NMS was facilitated by the natural course of the events. For instance, the Policy Framework WG resided within the Operations and Management Area. So the Network Management considerations were out there by default. However the same is hard to assume for the "Security" considerations. Security was not at the top of peoples mind when they developed RFC 3060. Hence the application of the Policy Framework to a Security system is less straight forward, though presumably quite feasible and desirable. Any ideas as to how one goes about developing a Policy Based Security Framework? What can we do at IETF for that? Regards Dr A R Choudhary -----Original Message----- From: Haren Visavadia [mailto:haren@btopenworld.com] Sent: Monday, October 21, 2002 2:14 PM To: 'Choudhary, Abdur R (Rahim)' Cc: ietf@ietf.org Subject: RE: VoIP Security >I think that a Security Framework is more useful if it is Policy Based. I strongly agree with that. I think that is the only way to improve security overall for the better.