Re: what is a threat analysis?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



One small point.....

--On 11. august 2005 07:52 -0700 Michael Thomas <thomasm@xxxxxxxxx> wrote:

Brian E Carpenter wrote:
Michael, you've had some quite concrete responses which I hope
have clarified things, but I really want to say that making
Internet protocols secure isn't a hoop jumping exercise; it's
more like a survival requirement, and has been for ten years
at least.

Where did I say that? My issue is that if people are going
to invoke process, they should be prepared to define what
the process is. And not just hand waving; concrete pointers
to documents that have been through the rough consensus
mechanism so that all parties can shoot for a common
goal.

I did not hear at any stage Russ claiming that asking for a threat analysis was "invoking process". He was asking for information that would allow him to make up his mind about whether or not to support DKIM becoming a WG.

As far as I know, there is no formal process called "ask for a threat analysis". Some people would argue that there should be, and if that argument were to be adopted, it should certainly have guidance attached to it.

But in this case, I believe all the formal process there is is "AD, using his or her best judgment, will decide". This is contained in RFC 2418 section 2.1 (quoted below). The threat analysis asked for seems to be intended to improve the basis for judgment on the first 3 points....
-----------------------------------------------------------------------
2.1. Criteria for formation

  When determining whether it is appropriate to create a working group,
  the Area Director(s) and the IESG will consider several issues:

   - Are the issues that the working group plans to address clear and
     relevant to the Internet community?

   - Are the goals specific and reasonably achievable, and achievable
     within a reasonable time frame?

   - What are the risks and urgency of the work, to determine the level
     of effort required?

   - Do the working group's activities overlap with those of another
     working group?  If so, it may still be appropriate to create the
     working group, but this question must be considered carefully by
     the Area Directors as subdividing efforts often dilutes the
     available technical expertise.

   - Is there sufficient interest within the IETF in the working
     group's topic with enough people willing to expend the effort to
     produce the desired result (e.g., a protocol specification)?
     Working groups require considerable effort, including management
     of the working group process, editing of working group documents,
     and contributing to the document text.  IETF experience suggests
     that these roles typically cannot all be handled by one person; a
     minimum of four or five active participants in the management
     positions are typically required in addition to a minimum of one
     or two dozen people that will attend the working group meetings
     and contribute on the mailing list.  NOTE: The interest must be
     broad enough that a working group would not be seen as merely the
     activity of a single vendor.

   - Is there enough expertise within the IETF in the working group's
     topic, and are those people interested in contributing in the
     working group?

   - Does a base of interested consumers (end-users) appear to exist
     for the planned work?  Consumer interest can be measured by
     participation of end-users within the IETF process, as well as by
     less direct means.

   - Does the IETF have a reasonable role to play in the determination
     of the technology?  There are many Internet-related technologies
     that may be interesting to IETF members but in some cases the IETF
     may not be in a position to effect the course of the technology in
     the "real world".  This can happen, for example, if the technology
     is being developed by another standards body or an industry
     consortium.

   - Are all known intellectual property rights relevant to the
     proposed working group's efforts issues understood?

   - Is the proposed work plan an open IETF effort or is it an attempt
     to "bless" non-IETF technology where the effect of input from IETF
     participants may be limited?

   - Is there a good understanding of any existing work that is
     relevant to the topics that the proposed working group is to
     pursue?  This includes work within the IETF and elsewhere.

   - Do the working group's goals overlap with known work in another
     standards body, and if so is adequate liaison in place?

  Considering the above criteria, the Area Director(s), using his or
  her best judgement, will decide whether to pursue the formation of
  the group through the chartering process.






_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]