ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Security for various IETF services

2014-04-09 04:05:43
from [l.wood] [Permanent Link] 
Stephen,

once again I refer you to
http://www.ietf.org/mail-archive/web/ietf/current/msg81787.html


we will not suddenly forget how to do sound engineering 


oddly enough, that happens. DTNRG forgot checksums, the
end-to-end-principle, designing for embedded systems...

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: Stephen Farrell [stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie]
Sent: 09 April 2014 09:43
To: Wood L  Dr (Electronic Eng); rwfranks(_at_)acm(_dot_)org; 
daedulus(_at_)btconnect(_dot_)com
Cc: ietf(_at_)ietf(_dot_)org
Subject: Re: Security for various IETF services

I love how folks who it seems would rather we do nothing
are asking for more security process in this case.

IMO, the tools folks haven't gone terribly wrong on this in
the past and are not likely to do so in future. We are also
not developing new protocols for broad Internet use here
but rather talking about an IESG statement that those who
develop tooling and who deploy services should find useful
when considering new IETF services such as some new web
tool or remote participation tool. The statement also
reminds them to not go OTT and break stuff just in order
to improve security.

So no, we do not need a common criteria evaluation for
this and we will not suddenly forget how to do sound
engineering and no we do not need to do all that
engineering right now for every possible future service
and nor do we need to include "don't forget to do
engineering" in this IESG statement.

Regards,
S.

On 04/09/2014 03:12 AM, l(_dot_)wood(_at_)surrey(_dot_)ac(_dot_)uk wrote:

Gee, you don't need a threat analysis when you're going to protect against 
EVERYTHING!

That's SECURITY!

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: ietf [ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of Dick Franks 
[rwfranks(_at_)acm(_dot_)org]
Sent: 09 April 2014 01:02
To: t.p.
Cc: IETF-Discussion
Subject: Re: Security for various IETF services

On 8 April 2014 09:32, t.p. 
<daedulus(_at_)btconnect(_dot_)com<mailto:daedulus(_at_)btconnect(_dot_)com>> 
wrote:


The path that I have seen several Security ADs steer Working Groups down
is to start with a threat analysis before deciding what counter measures
are appropriate.


Several contributors have been saying exactly that for almost a week.

These suggestions have been answered by dismissive emails and a relentless 
bombardment of magic pixie dust.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Security for various IETF services, l.wood
Next by Date:  Re: Security for various IETF services, Stephen Farrell
Previous by Thread:  Re: Security for various IETF services, Stephen Farrell
Next by Thread:  Re: Security for various IETF services, Yoav Nir
Indexes:  [Date] [Thread] [Top] [All Lists]