Melinda Shore <melinda(_dot_)shore(_at_)gmail(_dot_)com> wrote:
>>> I'm sorry, but when we get to the point where we need to point to an
>>> RFC to stop progress on a document that has obvious vulnerabilities,
>>> our brains have fallen out.
>>
>> This is counterfactual. We used to routinely handwave about security.
> We still routinely handwave about security. It's an afterthought in
> entirely too many cases. Drafts are adopted by working groups while
> still having security considerations sections that consist in their
> entirety of "TBD." 3552's impacts have been, I think, on how documents
> are reviewed more than on how documents are developed.
I don't disagree that we still handwave.
I want to address the second part of the above statement.
I don't think it's a problem that a draft gets adopted as a WG item that is
incomplete in a variety of ways, including security considerations.
Let's not continue the trend to having a WG design team prior to having a WG.
One of the *KEY* things that a too well baked draft coming in to a WG messes
up is fixing the security issues; from ambiguous and arbitrarily different
encodings, to assumptions about what "Use IPsec" might mean.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr(_at_)sandelman(_dot_)ca http://www.sandelman.ca/ | ruby on
rails [