On 06/04/2014 23:11, Stephen Farrell wrote:
On 04/06/2014 08:27 PM, Dick Franks wrote:
On 5 April 2014 14:40, <l.wood@xxxxxxxxxxxx> wrote:
"I didn't see anything that stood out. Are you referring to his why
question? Really? It seems others answered why."
they did not.
Other noises off-stage are rrelevant
The author(s) of the proposal MUST provide the threat model for each
service and a reasoned argument why the proposed action mitigates the
identified threat or threats.
Engineering best practice demands no less.
I disagree. Asking for a threat model seems odd, since the
proposed IESG statement isn't specific to a particular service
and absent that you can't sensibly construct a threat model I
think.
The request is surely that the specification of the application
include the threat model, which seems a very reasonable
requirement.
Transparent decision process demands no less.
I have no idea what's apparently opaque.
Ignoring Lloyd Wood's question is not an option.
LLoyd's questions were answered IMO.
I regret that I am not convinced they were.
Stewart
S..
Dick Franks
--
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html