->-----Original Message-----
->From: Harald Tveit Alvestrand [mailto:Harald(_at_)Alvestrand(_dot_)no]
->Sent: Friday, May 26, 2000 6:27 PM
->To: Brian(_dot_)Rubarts(_at_)BORN(_dot_)COM
->Cc: ietf(_at_)ietf(_dot_)org
->Subject: RE: Storage over Ethernet/IP
->The point being made, remade and made again here is:
->- Any protocol that offers no means of countering such
->security threats is
->broken, and should not be considered for standardization.
->It is perfectly possible that after conducting a threat and modality
->analysis, one ends up with saying that hardware-accelerated
->IPsec using
->host identities is adequate for the scenarios involving
->otherwise-unprotected Internet links, and that a mode with no
->protection is
->adequate when the media is physically secured.
->
->But the analysis MUST BE DONE.
->
is vulnerability and threat analysis part of the
standardization process ??
/pd