RE: Security for various IETF services

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Stephen,

once again I refer you to
http://www.ietf.org/mail-archive/web/ietf/current/msg81787.html

> we will not suddenly forget how to do sound engineering 

oddly enough, that happens. DTNRG forgot checksums, the
end-to-end-principle, designing for embedded systems...

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: Stephen Farrell [stephen.farrell@xxxxxxxxx]
Sent: 09 April 2014 09:43
To: Wood L  Dr (Electronic Eng); rwfranks@xxxxxxx; daedulus@xxxxxxxxxxxxx
Cc: ietf@xxxxxxxx
Subject: Re: Security for various IETF services

I love how folks who it seems would rather we do nothing
are asking for more security process in this case.

IMO, the tools folks haven't gone terribly wrong on this in
the past and are not likely to do so in future. We are also
not developing new protocols for broad Internet use here
but rather talking about an IESG statement that those who
develop tooling and who deploy services should find useful
when considering new IETF services such as some new web
tool or remote participation tool. The statement also
reminds them to not go OTT and break stuff just in order
to improve security.

So no, we do not need a common criteria evaluation for
this and we will not suddenly forget how to do sound
engineering and no we do not need to do all that
engineering right now for every possible future service
and nor do we need to include "don't forget to do
engineering" in this IESG statement.

Regards,
S.

On 04/09/2014 03:12 AM, l.wood@xxxxxxxxxxxx wrote:
> Gee, you don't need a threat analysis when you're going to protect against EVERYTHING!
>
> That's SECURITY!
>
> Lloyd Wood
> http://about.me/lloydwood
> ________________________________________
> From: ietf [ietf-bounces@xxxxxxxx] On Behalf Of Dick Franks [rwfranks@xxxxxxx]
> Sent: 09 April 2014 01:02
> To: t.p.
> Cc: IETF-Discussion
> Subject: Re: Security for various IETF services
>
> On 8 April 2014 09:32, t.p. <daedulus@xxxxxxxxxxxxx<mailto:daedulus@xxxxxxxxxxxxx>> wrote:
>
>
> The path that I have seen several Security ADs steer Working Groups down
> is to start with a threat analysis before deciding what counter measures
> are appropriate.
>
>
> Several contributors have been saying exactly that for almost a week.
>
> These suggestions have been answered by dismissive emails and a relentless bombardment of magic pixie dust.
>
>
>
>
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]