I have mixed feelings about IETF WGs doing threat analysis. On the one hand, Internet security is A Big Deal and I agree with what Steve Bellovin and Brian Carpenter and others have written concerning our need to improve. Frankly, the current "status quo" is quite worrisome. On the other hand, doing a viable Threat Analysis is a whole lot of work. Those of us who are CISSP certified often find ourselves doing Threat Analysis as a normal part of our job functions. However, a good study often takes weeks or months. I am very skeptical that individuals who are not security professionals will be able to do viable threat analysis studies because so many of the key issues are not obvious to our esteemed non-security brethren. To my mind, the author(s) will receive value from doing such a study. However, only valid studies would be useful to the community as a whole. Therefore, I fear that either the security community will become even more overworked or else a whole lot of not-very-helpful text will be produced or else non-security people will become de facto security people. I'm hoping for the third result, but I fear the first two. --Eric _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf