Sam Hartman wrote:
"Gray," == Gray, Eric <Eric.Gray@xxxxxxxxxxx> writes:Gray,> Sam, I thought the Security Area Directorate was limited to Gray,> determining if the description of security risks is Gray,> adequate and that determination of whether security is Gray,> adequate - for adequately described security risks - would Gray,> be up to the end consumer. first, this document is in last call. It's very clear to me that I can make a last call comment as an IETf contributor that I think the security is inadequate.
To be quite honest, I was unsure which hat you were wearing when you made your statement. I'm also unsure if it matters.
All that being said, I agree that the security considerations section is missing quite a bit. It should explain the consequences of using this protocol from a security point of view. And the big thing it left out, is that not only should it mention that there are alternatives, but it should explicitly state what they are. In this case, the security considerations section ought to specifically point to XPC, which is also from the CRISP wg and being IETF last called at the moment. That draft is draft-ietf-crisp-iris-xpc-04.txt; a review of it would be helpful.
-andy _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf