On Thu, Jan 16, 2014 at 2:16 AM, Eliot Lear <lear(_at_)cisco(_dot_)com> wrote:
On 1/15/14 5:40 PM, Sam Hartman wrote:
"Eliot" == Eliot Lear <lear(_at_)cisco(_dot_)com> writes:
I absolutely agree that general guidance of this form would be valuable
either in some general security BCP that the other security BCPs
reference or restated in the security BCPs.
It is a basic precept of engineering that the earlier you spot a design
flaw, the less costly it is to address. We needn't teach such basic
precepts in our series.
Then where should they be taught? Personally I prefer having the
fundamentals taught again and again rather than being in a single
place that most people have forgotten about. There are new people in
the IETF all the time, many of whom are new to this level of design. I
don't want to depend on ad hoc osmosis and "common knowledge" to get
the basic principles across.
we're not working on such a BCP now, so I'm trying to add the advice I
need to this BCP in order for it to work for me as a WG chair and
document author.
And as a working group chair you must balance ALL considerations and not
just this one.
Yes of course.
It's not so much a truism that we all agree to it. I've definitely
worked with WGs that didn't want to consider these sorts of issues when
choosing technology and didn't seem to agree that they had to.
And I've seen participants all but derail working groups by solely
focusing on one design consideration.
If I'm understanding correctly, you're echoing the concern expressed a
week or two ago that the Security ADs were being given a Big Hammer
and tyrannical authority over every working group. No one is saying
this is the only architectural consideration - we have other RFCs on
protocol architecture. The text just says it really should be
considered. No?
Thanks ... Scott