> Bernard: > > Your rewording of section 2 seems fine to me. As co-author, you could have > provided it many months ago ;-) > > Are you suggesting the addition of something like: > > Authors who follow these guidelines specified in this document > should incorporate this phrase near the beginning of their document: > > This document follows the AAA key management guidelines > specified in RFC XXXX. Adding such a statement would at least make it clear to a reviewer that it was the intent of the author to comply with the guidelines. However, I think that having a section on key management claims would make it easier for a reviewer to examine a document and find the material relating to the guidelines. For example, EAP method documents are required to include a security claims section that is typically short since it typically just references material already in the document or in external references. Similarly a Key Management Claims section might make it easier for a reviewer. Such a section might look like this: "4.1. Key Management Claims AAA Key Management requirements are defined in [RFCXXXX]. This document claims to meet the following requirements, as described below: Cryptographic Algorithm Independence: Yes (See Sections 2.1, 2.3) Strong, fresh session keys: Yes (See Section 3.1, 3.4) Key scope: Yes (See Section 4.5) Replay protection: Yes (See Section 5.1) Authentication: Yes (See Section 2.6) Authorization: Yes (See Section 2.7) Key confidentiality: Yes (See Section 2.8) Confirmed ciphersuite selection: Partial (See Section 2.9) Key naming: Yes (See Section 6.1) Domino Effect: Yes (See Section 8.1) Key context binding: Yes (See Section 7.2) Confidentiality of Identity: No Authorization Restriction: Partial (See Section 6.2)" > > While this document includes a lot of useful requirements, it does not > > provide guidance on how document authors should demonstrate adherence to > > the principles that are described. For example, a AAA key management > > document may not include a section describing the assumptions and > > requirements of the design, which can make it difficult for a reviewer > > to determine whether or not the protocol fulfills its goals. The > > document describes a number of useful security properties, but there is > > no request that document authors include sections in their > > documents that correspond to these requirements. > > As a result, my concern is that reviewers could be left with a large task > > to determine whether a given document did or did not fulfill the > > requirements described in this document. > > > > In order to make life easier for reviewers, it might be helpful for the > > document to provide explicit guidance for draft authors. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf