Jim Fenton wrote:
Steve Atkins wrote:
Well, without knowing what threats SSP is supposed to mitigate, it's
impossible to start analyzing how well it does so. So identifying the
threats
certainly can't be the last step, and I can't actually think of anything
that comes before that.
Where would you start?
RFC 5016.
Jim,
Normally, a requirements doc like 5016 comes after a problem description, not
before. A threats analysis is a problem description.
I read Steve's query as being about threats, not requirements.
As for RFC 4686, it says very little about the threats that SSP is expected to
mitigate.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html