ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC

2014-07-09 03:48:31
from [Eliot Lear] [Permanent Link] 
Dear IESG,

I have a question and several comments (with proposed edit) for your and
the author's consideration.

First, and most abstractly, this document defines opportunistic security
solely in terms of encryption.  Indeed Section 2 states:

   In summary, opportunistic security is an umbrella term that
   encompasses protocol designs that remove barriers to the widespread
   use of encryption in the Internet.

My question: are there other forms of opportunistic security that this
definition would foreclose?  For example, might taking advantage of
physical presence also be a form of opportunistic security?

Second, the abstract doesn't match the document.  The abstract states
that "This memo defines the term "opportunistic security".  It goes much
further than defining that term.  Rather it specifies requirements for
and characteristics of opportunistic security, complete with normative
language.  My suggestion would be to restate the abstract as follows:

OLD:

   This memo defines the term "opportunistic security".  In contrast to
   the established approach of delivering strong protection some of the
   time, opportunistic security strives to deliver at least some
   protection most of the time.  The primary goal is therefore broad
   interoperability, with security policy tailored to the capabilities
   of peer systems.



NEW:

   This memo defines the term "opportunistic security" and its attributes,
   and specifies requirements for implementing it in IETF protocols.  In
   contrast to the established approach of delivering strong protection some
   of the time, opportunistic security strives to deliver at least some
   protection most of the time.  The primary goal is therefore broad
   interoperability, with security policy tailored to the capabilities
   of peer systems.


If people think the word "requirements" is too strong, then perhaps
"guidance".  Given the use of normative language, you may also wish to
consider making this document a BCP and reviewing it in that light.

Finally, an editorial nit: I suggest that the 2119 boiler plate be moved
up to prior to first use of 2119 normative language (like bottom of
Section 1).

Eliot
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC, Viktor Dukhovni
Next by Date:  RE: Security review of draft-ietf-pce-questions-06, Adrian Farrel
Previous by Thread:  Re: Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC, Tim Bray
Next by Thread:  Re: Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC, Stephen Farrell
Indexes:  [Date] [Thread] [Top] [All Lists]