Sam Hartman wrote:
"Gray," == Gray, Eric <Eric.Gray@xxxxxxxxxxx> writes:
Gray,> Sam, I thought the Security Area Directorate was limited to
Gray,> determining if the description of security risks is
Gray,> adequate and that determination of whether security is
Gray,> adequate - for adequately described security risks - would
Gray,> be up to the end consumer.
first, this document is in last call. It's very clear to me that I
can make a last call comment as an IETf contributor that I think the
security is inadequate.
To be quite honest, I was unsure which hat you were wearing when you made
your statement. I'm also unsure if it matters.
All that being said, I agree that the security considerations section is
missing quite a bit. It should explain the consequences of using this
protocol from a security point of view. And the big thing it left out, is
that not only should it mention that there are alternatives, but it should
explicitly state what they are. In this case, the security considerations
section ought to specifically point to XPC, which is also from the CRISP wg
and being IETF last called at the moment. That draft is
draft-ietf-crisp-iris-xpc-04.txt; a review of it would be helpful.
-andy
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf