Dave Crocker wrote:
Stephen Farrell wrote:
For each proposed SSP feature, there needs to be a statement describing
the thread, the way that the feature will mitigate it and some
discussion of possible work-arounds and the ease with which they can be
used.
RFC 4868 [2] does contain some analysis of SSP from a year or
so ago. Can you describe some additional threats that aren't
covered there that we ought be considering? Or are there parts
of the analysis that need revisiting?
My review of what is covered in the earlier threats analysis, with
regard to SSP, is extremely minimal.
I'm confused by that sentence. It could mean your reading of 4868 was
minimal, or that you consider the analysis in 4868 minimal.
Are you saying that you think it is sufficient to provide a technical
basis for what is in the current specification?
No. I was asking for an example from you of what is missing or
wrong in 4868. I assume you have something in mind, since you raised
the specific issue.
Since you are the designated expert from the Security area, and since
you make technical contributions to the working group, your assessment
is significant.
Thanks. Though I'm not sure I'm a designated expert at anything:-)
I've not done the comparison as it happens, but I did ask Jim to do
that - in his slides from last week he indicated that he plans to
compare the SSP I-D against both 4868 and 5016 and report back. I
think that'll be a useful exercise, that might be a starting point for
more work or may be sufficient that the WG are happy to close this
issue.
Stephen.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html