ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] When will we know the Threat Analysis document is complete

2006-01-30 15:25:39
from [Stephen Farrell] [Permanent Link] 

Dave,

Dave Crocker wrote:

Folks,
Jim has put in quite a bit of effort on the Threat Analysis document. Multiple iterations of a document, with revisions that are highly responsive to community feedback, usually makes for a document that is finished.
In the current case, I find myself entirely unclear how we will know when it is *really* finished. Clearly it is not enough to simply run out of comments and suggestions from participants. The current mailing list discussion and issue-list management will satisfy the needs of the mailing list participants.
However the document must satisfy the requirements of Security Area experts. How will we know when we have accomplished that? I am not aware of an explicit, stable reference against which we can target this document.
With luck, my confusion is merely due to my having missed important management and documentation actions. I sure hope so.
However the charter requires completing the threats document within about 30 days and I see no way to claim that we are likely to meet that milestone. 

d/
ps. Please note that I am sending this to the WG, rather than -- for example -- our Area Director. At the moment, my concern is what WE know to be our task, rather than what he or his IESG colleagues might describe it to be. 

This is always tricky and the short answer is that we won't know since
there may always be a vulnerability that we didn't think about.

In a commercial environment, you basically decide how much to spend
and then spend that much (though some people might say otherwise:-)

However, the IESG did accept our milestones and if we can demonstrate
that we made a good faith and technically competent effort to do the
job, then I think we have as good a defense as you can get in this
case. That's a reason why getting comments on the threats draft is
important. Silence on this produces no evidence (nor btw would simple
acclaim).

The IESG may in fact find additional work is needed, say if they note
a threat we didn't spot, but that'd be to the good in the end (other
than the hopefully slight delay it might introduce).

So, for me, being able to show (via the I-D, issues list and mail
archive) that we've done a good job should be enough. We'll see though.

Stephen.

PS: And in any case, IESG members are smart enough to be able to raise
issues regardless, if that's what they want to do.


_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks, Stephen Farrell
Next by Date:  Re: [ietf-dkim] When will we know the Threat Analysis document is complete, Dave Crocker
Previous by Thread:  [ietf-dkim] When will we know the Threat Analysis document is complete, Dave Crocker
Next by Thread:  Re: [ietf-dkim] When will we know the Threat Analysis document is complete, Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]