ietf-dkim
[Top] [All Lists]

RE: [ietf-dkim] When will we know the Threat Analysis document iscomplete

2006-01-30 16:24:19
 

[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Stephen 
Farrell
Dave Crocker wrote:
The question is whether we are getting comments from the 
necessary folk?

The Security Area has a long history of being quite good at finding
(legitimate) flaws.  So the rest of us might well engage in 
super-human diligence and still not satisfy the folks with 
an effective veto.

How can we be proactive, in this regard?

Fair question. Barry and I already did seek some review and 
intend asking again when we're at the start of last call. I'd 
encourage others on this list to do the same if you can get 
additional review of the draft.

Not sure what more we can do. But suggestions are welcome.

There is a general problem with being sure that threats documents are
complete. I still don't think that there is a particularly good
methodology for determining coverage and its not for lack of trying.

Fortunately it is a little easier to get the threat model past the IESG
using the algorithm submit document A, read comments, add threats
described in comments to document A to create document B, submit
document B.

Where things get trickier is in demonstrating that we have successfully
covered the threat model.

What we need to do is to make it clear that we are proposing an
accountability based scheme and not a permissions based one. As such
'threats' need to be considered differently. We are not attempting to
develop an infallible security scheme here, in fact the starting point
for the design is that there will be failures and the system needs to be
robust in order to deal with them.

When making steel there is a tradeoff between hardness and britleness.
Spring steel is not at all hard but you can strike it with a hammer and
it will not break. Cast Iron is very hard, it will not deform under many
tonnes of pressure but it will crack if hit very hard. If you want to
build complex machines you need both types of material for different
purposes.  

_______________________________________________
ietf-dkim mailing list
http://dkim.org

<Prev in Thread] Current Thread [Next in Thread>
  • RE: [ietf-dkim] When will we know the Threat Analysis document iscomplete, Hallam-Baker, Phillip <=