On 1/1/14 6:11 PM, Ted Lemon wrote:
On Jan 1, 2014, at 6:07 PM, Melinda Shore
<melinda(_dot_)shore(_at_)gmail(_dot_)com>
wrote:
I'm sorry, but when we get to the point where we need to point to
an RFC to stop progress on a document that has obvious
vulnerabilities, our brains have fallen out.
This is counterfactual. We used to routinely handwave about
security.
We still routinely handwave about security. It's an afterthought
in entirely too many cases. Drafts are adopted by working groups
while still having security considerations sections that consist
in their entirety of "TBD." 3552's impacts have been, I think,
on how documents are reviewed more than on how documents are
developed.
One of the reasons I'm somewhat annoyed about the wave of
gasbaggery and pontification that has followed truly disturbing
revelations about the extent to which the US government has
undermined privacy and compromised security technologies is
that work which might have helped provide tools to mitigate
some of the soft spots in IETF work has been backburnered in
favor of no small amount of unfocused grandiosity that doesn't
actually change much.
At any rate this draft is not RFC3552. 3552 provides very specific
guidelines for what needs to be considered in
writing^H^H^H^H^H^H^H^Hreviewing security considerations.
It is tempting to just let this through last call in hopes that
once it's done we can come back around to prioritizing work like
fixing PKI but I'd be very sorry indeed to see this published as a
BCP.
Melinda