Stephen Farrell wrote:
I understood that you seek to throw the issue back onto me.
Well you did raise the issue, so its fair to ask.
yup.
I think
that a threats review should be performed by folks with a background in
security, such as yourself.
I take it from that that 1527 is therefore not related to a
specific perceived threat, but is rather a generic request
for additional threat analysis. I'm ok with that.
To expand on this: Over the flurry of exchanges in the last week or so --
actually going much farther back, but this past week is enough for this point
-- a number of different participants have asked about the perceived threats
that provide a motivation for one or another SSP feature. None or few of
these are discussed in the existing threats analysis RFC.
All of which suggests that there is a formal exercise needed. As we saw with
the original exercise, these efforts can be pushed to extremes seeking
mathematical precision. Like everyone else in the group, I think that that is
not productive. However we do need at least the basics that, for example,
distinguish deep, strategic threats versus distracting tactical ones, in order
to give some ranking to the issues that an SSP must solve, versus issues that
it can provide, at best, only superficial relief.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html