ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Structure of the threat analysis...

2005-10-14 13:28:42
Oops, meant to answer this yesterday...

Stephen Farrell wrote:


Hi Jim,


Jim Fenton wrote:

Jim Fenton wrote:

I have been planning on a minor revision of the threat document before the revised draft cutoff (Oct 24), but can do something more aggressive if it's a real improvement that will move us closer to chartering.

So I would like a reading from Russ as to whether he views the structure you propose as an improvement, and whether the current structure is adequate, before making a sweeping change such as this.


That's a fair question. Though I'm not sure if Russ is listening here
right now.

>

Please, let's ask.


So that's clear now (and good too!). Would you now agree that if
we include the the threat analysis RFC as a milestone then the
restructuring makes sense? (Honestly - I believe you'll end up
with less work and not more.)

That's fine. I'll go ahead and make my minor changes and publish -01 for now, in the current structure, in order to (hopefully!) work out some inconsistencies between the threat analysis and the base and SSP drafts (which are being revised as well).


Agree that the vulnerability is in scope (although IMO a little far-fetched, given the timing uncertainties of sending a message through an MTA.) And agree that this belongs in the security considerations section of the base proposal. What isn't clear to me is why the same thing needs to appear in both the threat analysis and the base document. As it stands, the threat analysis mentions three important threats, and refers the reader to the security considerations section of the base document for more. Isn't it sufficient to have it in one place?


Possibly. I'd prefer to see all the threat analysis in one document or
at least all we can do before the protocol is finalised, which in this
case is a lot.

I see that the draft charter has WG last call for the threat analysis in 2/06, and for the base and SSP specifications in 05/06 and 09/06 respectively. Will it be possible to complete the threat analysis of DKIM itself while the specifications are not finalized?

-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org