From: ietf-bounces(_at_)ietf(_dot_)org
[mailto:ietf-bounces(_at_)ietf(_dot_)org] On
Behalf Of Stephen Kent
Dave & Michael,
In the DoD environment, a threat analysis for a system identifies the
classes of adversaries that the author believes are of concern, and
describes their capabilities and motivations. Russ's three questions
are a concise way of stating this:
- The "bad actors" are adversaries.
- Their capabilities allude to where the adversaries "fit
into the system" and what sorts of attacks they may employ of effect
their goals.
- Their motivations indicate what they are trying to do, the
flip side of "what are we trying to prevent them from doing."
There is still a potential ambiguity here, there are actually two types
of threat analysis:
1) Of the system in which the proposal is intended to provide a
control
2) Of the proposal itself
These are somewhat different, the first question is 'what problem is the
protocol intended to solve', the second is 'Does the protocol provide
the security assurances it is intended to'.
Both sets of analysis are important steps towards answering the question
'Will the protocol actually make a difference'.
One of the implicit criticisms of DKIM is that previous attempts to
apply cryptography to email only answered the second question, the first
was more or less taken for granted. Since a reasonably complete threat
model of the first type was provided before Russ asked the question at
the BOF I assume that he is (correctly in my view) asking for an
analysis of the first type.
Security is a property of systems, not protocols.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf