"Choudhary, Abdur R (Rahim)" <arc(_at_)lucent(_dot_)com> writes:
Thank you for the input. I did not mean to suggest that there ought
to be competing Security Policies at layer 3. What I did mean to
suggest is that, the Security is a fairly dynamic field at this
time. We expect that the requirements and operational environment
will change, and do so at a speed that might not be slow enough for
the current approach that IETF seems to have taken. For instance try
to see how the approach would accommodate requirements for "Security
Auditing in VoIP".
1) The IETF is not a monolithic entity. It is a group of engineers. If
you wish to propose a new security protocol, nothing prevents you
from doing so. If consensus is that it is good, it would even end
up published as a standard.
2) Repeating: the IETF does not have an "approach". It is a group of
engineers, not an organism. It does not have a single opinion. It
has a set of documents it has produced.
3) Additional bureaucracy, etc., in designing security protocols is
unlikely to improve security.
4) Additional "frameworks", etc., are unlikely to help.
5) Additional committees are also unlikely to help.
5) Vague comments about "the dynamic nature of the Security
requirements" are unlikely to illuminate anything. They have all
the content of political speeches without the entertainment
value.
6) It is easiest in life to accomplish by doing something rather than
proposing that someone ELSE do something.
What produces successful new protocol work? Lots of hard thinking
(security is frequently a hard problem) and running code, followed by
rough consensus based documentation and standardization. Unfortunately,
it is much easier to engage in vague discussion or proposals than to
think, and far easier to propose bureaucracies than to write code.
Perry