SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Question on security document



    Here is the problem.
    
    I create an informational RFC that includes compliance statements (I want to
    use 3Des, AES would be nice, etc.)
    I create a standards track RFC and point to the informational RFC to provide
    security
    I don't think you can do this - I know that you would not be able to go up
    the standards track because you are required to have all of your dependacies
    at your level of standardization or higher (It makes no sense to have a full
    standard dependant on a standard that is at draft standard level)
    
    Bob is technically correct.  What I hope this group does is pick up the
    correct verbage from the security draft and put it into the standards
    protocol documents, or put the security doc on the standards track
    
    Bill
    
    -----Original Message-----
    From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
    Ofer Biran
    Sent: Thursday, October 18, 2001 9:03 AM
    To: Robert Snively
    Cc: 'Paul Koning'; cmonia@NishanSystems.com; ips@ece.cmu.edu
    Subject: RE: Question on security document
    
    
    Bob,
    
    The intention of the security document was tutorial, elaborated discussion,
    motivations and more detailed guidelines and recommendations for the
    security aspects.
    
    The "official" mandatory statements are only in the standard RFCs. I'm not
    sure
    about the IETF rule for informational RFC but I don't see a problem with
    MUST
    statements there as long as they are in sync with the corresponding
    standard
    RFC.
    
       Regards,
          Ofer
    
    
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    Robert Snively <rsnively@Brocade.COM>@ece.cmu.edu on 18/10/2001 17:35:35
    
    Please respond to Robert Snively <rsnively@Brocade.COM>
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   "'Paul Koning'" <ni1d@arrl.net>, cmonia@NishanSystems.com
    cc:   ips@ece.cmu.edu
    Subject:  RE: Question on security document
    
    
    
    Paul,
    
    I rather prefer to see the security mandates carried in
    the primary documents, as our IETF mentors originally proposed.
    That way, there is less possibility of inconsistent
    language that may change the primary documents.  Then the
    security document would be a tutorial and remain informational.
    This will simplify the standardization process, because
    each of us will only have to read the security document for
    guidelines to our development of the security section of the
    primary documents.  If we were to make the security document
    the standard, then each of us will have to
    read the entire document to make sure that some global
    restriction does not fall unintentionally on a particular
    protocol.
    
    If we do choose to make the security document the authoritative
    document (which I would vote against), then it needs a major
    rewrite to clarify, separate, and make more precise the requirements for
    each protocol.
    
    Charles,
    
    If the security document was intended as a draft of the security
    sections for each protocol, it needs a major rewrite to separate
    the particular language to be dropped into each document from the
    tutorial information.  It then needs to formulate much more
    clearly and formally the language that will be dropped into the
    primary documents.  That would be okay with me, but the draft
    should indicate that the language to be dropped into the
    primary documents is only proposed and that the actual applicable
    standards information is contained in the primary document.
    
    Bob
    
    > -----Original Message-----
    > From: Paul Koning [mailto:ni1d@arrl.net]
    > Sent: Thursday, October 18, 2001 7:37 AM
    > To: cmonia@NishanSystems.com
    > Cc: ips@ece.cmu.edu
    > Subject: RE: Question on security document
    >
    >
    > Excerpt of message (sent 17 October 2001) by Charles Monia:
    > > Hi:
    > >
    > > I had assumed that one goal of the document was to set
    > forth the language
    > > necessary for each spec to pass muster with the IESG in the realm of
    > > security.  If that's correct, I'm concerned that the
    > suggested change may
    > > compromise that intent.
    > >
    > > Charles
    > > > -----Original Message-----
    > > > From: Robert Snively [mailto:rsnively@Brocade.COM]
    > > > Sent: Wednesday, October 17, 2001 4:31 PM
    > > > To: 'ips@ece.cmu.edu'
    > > > Subject: Question on security document
    > > >
    > > >
    > > > I have a recommendation to the authors of the security
    > > > document:
    > > > ...
    >
    > The problem, as Bob is right to point out, is that informational RFCs
    > by definition cannot establish requirements on implementations.  So if
    > you want there to be security requirements that apply to iFCP, iSCSI,
    > and so on, they can only be stated in standards track RFCs, not
    > informational RFCs.  It may be a separate document or part of the IPS
    > document it applies to.
    >
    > So one answer is for the security draft not to be informational
    > anymore.
    >
    >    paul
    >
    >
    
    
    
    


Home

Last updated: Thu Oct 18 13:17:25 2001
7282 messages in chronological order