Ned Freed wrote:
Brian E Carpenter wrote:
> Michael, you've had some quite concrete responses which I hope
> have clarified things, but I really want to say that making
> Internet protocols secure isn't a hoop jumping exercise; it's
> more like a survival requirement, and has been for ten years
> at least.
Where did I say that?
Of course you didn't, and the implication that you did say that was
nothing but
a strawman, a tactic I'm sad to say often seems to crop up in
discussions on
the IETF list.
Excuse *me* but Mike's note that I was responding to said (in part):
So, if this is going to be yet another hoop that the IESG and IAB
sends working groups through like problem statements, requirements
documents and the like, I think it ought to be incumbent on
those people demanding such things to actually both agree and
document what it is that they are demanding.
He explicitly raised the question of hoop jumping, which for me at
least carries a strong implication of pointlessness. That's what
I was responding to.
More recently he said:
Do you seriously think you could write a "threat analysis"
given the definition in 2828?
which reads
"$ threat analysis
(I) An analysis of the probability of occurrences and consequences
of damaging actions to a system."
As a glossary definition, that seems admirably clear. For a complex case,
I'd expect to ask some experts for help in determining the type of
threats to be considered in particular. And I would study 3552 carefully,
warts and all. But the bottom line is that this is hard work to get
right - compare the Security Considerations of RFC 3056 with RFC 3964
for example.
Brian
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf