Dave Crocker wrote:
I take it from that that 1527 is therefore not related to a
specific perceived threat, but is rather a generic request
for additional threat analysis. I'm ok with that.
To expand on this: Over the flurry of exchanges in the last week or so
-- actually going much farther back, but this past week is enough for
this point -- a number of different participants have asked about the
perceived threats that provide a motivation for one or another SSP
feature. None or few of these are discussed in the existing threats
analysis RFC.
David, just for the record, it was you who did not want any SSP
considerations done in order to to facilitate the completion of the TA:
[ietf-dkim] Expediting the threat analysis for -core
http://mipassoc.org/pipermail/ietf-dkim/2005q4/001470.html
But all the formal exercise was well on its way of being done, the
engineering, insight were all debated, deep threat analysis and boundary
conditions were presented, analyzed, discussed, expanded upon, etc, etc.
But you preferred it to be out of scope for the TA and thats what you got.
The only reason there is a minimal official reference now in the final
TA RFC was because there were certain clear threats to DKIM-BASE which
could not be addressed without a reference to a POLICY concept and these
were the only threats the key cogs, including yourself wanted to have in
the TA.
Why do you did I wrote the DSAP I-D? To highlight those security
threats with DKIM-BASE the cogs did not want to address or deemed
irrelevant or not deemed possible or had no perceived threat.
> All of which suggests that there is a formal exercise needed.
With all the work has been done, it should be quite easy to produce it.
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html