Re: [apps-discuss] Proposal for a Finance Area Mailing List

[Walter <walter.stanish@gmail.com>]

>> Perhaps the formalistic side of the IETF's grizzled core expertise
>> might be more valuable when applied to, for example:
>>  (1) the design of bindings between a message oriented application
>> layer financial transaction protocol that comes out of the mailing
>> list in question (either formalized through a later formed BOF or WG,
>> or not) and various available transports (as per JeffH's suggestion).
>>  (2) the design of optional security related extensions for the same
>>
>> Both of these areas strike me as best approached at some later stage,
>> for example after discussions have occurred on the proposed list.
>
> IMO "optional security extensions later" for this would be a bad,
> and in the IETF, unlikely, plan if it came to developing a protocol
> like this.
>
> I've no opinion on whether this ought be done, here or anywhere,
> but if done here, I do have an opinion on when security needs to
> be tackled.

Fair concern.  Let me explain the source of the comment.

During research thus far it has been discovered that certain financial
transaction systems are stupendously latency sensitive to the point
where mandatory security processing is unacceptable.  Thankfully, said
systems may operate between known parties (even parties internal to
one organization) via trusted transport and physical layers.

This is not to say that more typical internet style approaches to
protocol security would be ignored; far from it, they would be the
norm rather than the exception. Simply in an effort to avoid
additional assumptions within the design (see strategy (b), previous
email), it is considered desirable to maintain the protocol's ability
to switch off, or optionally delegate authentication and integrity
services to lower network layers.

Regards,
Walter Stanish
Payward, Inc.