Re: Security for various IETF services

Stewart Bryant <stbryant@cisco.com> Mon, 07 April 2014 10:17 UTC

Return-Path: <stbryant@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B66EB1A038E for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 03:17:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.511
X-Spam-Level:
X-Spam-Status: No, score=-9.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r8-UptJUOy8w for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 03:17:26 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) by ietfa.amsl.com (Postfix) with ESMTP id CBC191A018D for <ietf@ietf.org>; Mon, 7 Apr 2014 03:17:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1339; q=dns/txt; s=iport; t=1396865840; x=1398075440; h=message-id:date:from:reply-to:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=jWPcwz2ou0DZaHWhYqEiTFr8HUlzQjfsDUN4coI99XY=; b=b7mi5XYaMpk0hNv+R7GFjppQ+lXuzsHESfpebI2vzKcabmWvVBtCzGNh seMWBf1umzF+bU+Gr09E43TjVKzTbgoxhaxqUUY14ylhpRD8kaV+K3qLE sx+gmFd0IaL7JsL9QVNPJD3mzyv9XrkPeDtmtvTnjl1yxTjGvvzPh+55U U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhgFALJ6QlOQ/khM/2dsb2JhbABZgwY7xHGBIhZ0giUBAQEEODwEARALGAkWDwkDAgECAUUGAQwBBQIBAYd1Da5fnDwXjnEHhDgBA5hbkj+DMQ
X-IronPort-AV: E=Sophos;i="4.97,809,1389744000"; d="scan'208";a="14497462"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by aer-iport-1.cisco.com with ESMTP; 07 Apr 2014 10:17:19 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id s37AHIBh022480 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 7 Apr 2014 10:17:19 GMT
Received: from STBRYANT-M-R010.CISCO.COM (localhost [127.0.0.1]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id s37AHHJ9000475; Mon, 7 Apr 2014 11:17:18 +0100 (BST)
Message-ID: <53427B2D.1010205@cisco.com>
Date: Mon, 07 Apr 2014 11:17:17 +0100
From: Stewart Bryant <stbryant@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Dick Franks <rwfranks@acm.org>
Subject: Re: Security for various IETF services
References: <533D8A90.60309@cs.tcd.ie> <533EEF35.7070901@isdg.net> <CAKW6Ri5_Ty6rVsMTBKXEjC6r7Mg-o8pZoLQP+yJ4pBwqOF-nYw@mail.gmail.com> <533F0C7B.9090705@isdg.net> <CAKW6Ri699AuEOf-qf-iZ7vNdD7iEdF4uEnwX-HGB31EshJ_OXQ@mail.gmail.com> <53400355.7030807@isdg.net> <290E20B455C66743BE178C5C84F1240847E779EEBF@EXMB01CMS.surrey.ac.uk> <CAKW6Ri6jD4=pMdE_nsSnqyg6sKDT29_69_9jf=vfT2z6au7hNQ@mail.gmail.com> <5341D122.6010002@cs.tcd.ie>
In-Reply-To: <5341D122.6010002@cs.tcd.ie>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/K8MVquOYPKefywgzoAHFyMd-hbQ
Cc: IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: stbryant@cisco.com
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2014 10:17:30 -0000

On 06/04/2014 23:11, Stephen Farrell wrote:
>
> On 04/06/2014 08:27 PM, Dick Franks wrote:
>> On 5 April 2014 14:40, <l.wood@surrey.ac.uk> wrote:
>>
>>> "I didn't see anything that stood out. Are you referring to his why
>>> question?  Really?  It seems others answered why."
>>>
>>> they did not.
>>>
>>> Other noises off-stage are rrelevant
>> The author(s) of the proposal MUST provide the threat model for each
>> service and a reasoned argument why the proposed action mitigates the
>> identified threat or threats.
>>
>> Engineering best practice demands no less.
> I disagree. Asking for a threat model seems odd, since the
> proposed IESG statement isn't specific to a particular service
> and absent that you can't sensibly construct a threat model I
> think.
The request is surely that the specification of the application
include the threat model, which seems a very reasonable
requirement.
>
>> Transparent decision process demands no less.
> I have no idea what's apparently opaque.
>
>> Ignoring Lloyd Wood's question is not an option.
> LLoyd's questions were answered IMO.
I regret that I am not convinced they were.

Stewart
>
> S..
>
>
>
>>
>> Dick Franks
>>
>


-- 
For corporate legal information go to:

http://www.cisco.com/web/about/doing_business/legal/cri/index.html