In message <42FA7805.3040102@xxxxxxxxxxxx>, Dave Crocker writes: > >> Having a "threat analysis" was brought up at the plenary by Steve >> Bellovin as being a Good Thing(tm). At the MASS/DKIM BOF we are >> being required to produce such a thing as a prerequisite to even >> getting chartered as a working group. The problem that I have (and >> Dave Crocker at the plenary) is that there doesn't seem to be >> any definition of what a "threat analysis" is. > >As I posted on the DKIM mailing list on Monday ><http://mipassoc.org/pipermail/ietf-dkim/2005q3/000033.html> our AD, Russ >Housely has provided us with a rather straight-forward, 3-question template >for discussing DKIM's threat analysis: > > * Who are the bad actors? > * Where do they fit into the protocol environment (eg, middle of net)? > * What are we trying to prevent them from doing? > >I think Russ' list is quite reasonable and he has been clear as to the reason >he views the development of the threat analysis (TA) as a pre-requisite. The only thing I'd add is a clarification of the first point: are they on links, on nodes, or both? One of the points of my talk is that in multiparty protocols, you don't know who runs remote protocol participants, even in the absence of hacking. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf