Re: Gen-ART review of draft-ietf-geopriv-lbyr-requirements-07

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Jun 4, 2009, at 9:24 AM, Cullen Jennings wrote:


Thanks for review ... just wanted to respond to one point in this.

On Jun 3, 2009, at 4:47 PM, Spencer Dawkins wrote:

C5. User Identity Protection:  The location URI MUST NOT contain
   information that identifies the user or device.  Examples include
   phone extensions, badge numbers, first or last names.

Spencer (minor): this is probably a good idea, but I'm not sure it's a 2119 MUST (NOT). How would you recognize this on the wire (do you know what MY badge number is :-)?

There is the age old discussion about what 2119 means in a requirement document, but I'm trying to ignore that and just go with how well this conveys the intent of the WG to future readers. I agree we could not really black box test this but I think it does get to the essence of what the requirement is. Even last names might be hard to tell they are a last name, I hear rumor that google thinks Tschofenig is a strong password though I note is is a very common word to find in internet drafts :-)

Anyways, I can't think of a better way to write this requirement so unless someone has a concrete proposal, I suspect I will just leave as is.


Say WHY it MUST NOT.

All 2119 language needs explanation; you MUST NOT include identifying information because if you do, that information will be revealed to attackers, who may exercise it in attacks. Such attacks include but are not limited to social engineering, impersonation, stalking, extortion, and pretending to be an Area Director . . .

In other words, when you use 2119 language to explain a requirement, explain the rationale for that requirement; in particular explain what happens (or becomes possible) if the requirement is violated.

Unsubstantiated dogma is doggerel.

--
Dean



_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]