> From: ietf-bounces@xxxxxxxx [mailto:ietf-bounces@xxxxxxxx] On > Behalf Of Stephen Kent > Dave & Michael, > > In the DoD environment, a threat analysis for a system identifies the > classes of adversaries that the author believes are of concern, and > describes their capabilities and motivations. Russ's three questions > are a concise way of stating this: > - The "bad actors" are adversaries. > - Their capabilities allude to where the adversaries "fit > into the system" and what sorts of attacks they may employ of effect > their goals. > - Their motivations indicate what they are trying to do, the > flip side of "what are we trying to prevent them from doing." There is still a potential ambiguity here, there are actually two types of threat analysis: 1) Of the system in which the proposal is intended to provide a control 2) Of the proposal itself These are somewhat different, the first question is 'what problem is the protocol intended to solve', the second is 'Does the protocol provide the security assurances it is intended to'. Both sets of analysis are important steps towards answering the question 'Will the protocol actually make a difference'. One of the implicit criticisms of DKIM is that previous attempts to apply cryptography to email only answered the second question, the first was more or less taken for granted. Since a reasonably complete threat model of the first type was provided before Russ asked the question at the BOF I assume that he is (correctly in my view) asking for an analysis of the first type. Security is a property of systems, not protocols. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf