On Fri, 03 May 2002 06:57:45 PDT, todd glassey said:
real-world for you... Letting a technologist blindly develop a protocol that
is supposed to work in a commercial world is in my opinion more dangerous
that allowing the salesperson to design a protocol for the technical world
to solve
a problem that they are faced with on a daily basis. Especially as the IETF
Find me a sales person who understands security well enough to do a better
job than IPSec, and then we'll talk.
Find me a sales person who understands routing issues well enough to do
a better job than BGP, and then we'll talk.
TSG: But isn't the requirements document most of the design in most
instances? If you cant define the need then the protocol definition is
at best speculative and ambiguous.
I never said that the sales people shouldn't be contributing the
requirements. I said they shouldn't be designing the protocol.
Over in Detroit, they design cars. They do a *LOT* of market research.
Market research may say that 75% of people interested in a certain model
car would be interested in a rear spoiler - but it would be quite negligent
to let the market researchers decide what size bolts to use to attach it
to the car, wouldn't it?
TSG: perhaps. But I am not clear that the IETF should produce anything other
than recommendations. That Internet Standards and anything
above an RFC is fodder for a more regimented and audited group.
Anybody who thinks the IETF does anything other than recommend doesn't
understand the IETF at all.
TSG: But who here in the IETF has done commercial security analysis or legal
analysis of what the use models for a Protocol does?
Erm... Jeff, Steve - will you wave hello to the nice gentleman, and
explain to him about the Security area within the IESG? ;)
It may be informative to go read the list of authors of the RFCs that come out
of that area, and ask yourself if your army of salespeople understands security
better than they do..... You might also want to go read Bruce Schneier's
"Secrets and Lies" and/or "Applied Cryptography", and learn why proprietary
security solutions are rarely, if ever, secure.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
pgph2ILll1eP1.pgp
Description: PGP signature