RE: Security for various IETF services

<l.wood@surrey.ac.uk> Sun, 06 April 2014 22:50 UTC

Return-Path: <l.wood@surrey.ac.uk>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F28D91A032F for <ietf@ietfa.amsl.com>; Sun, 6 Apr 2014 15:50:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQAjg9oOj-ft for <ietf@ietfa.amsl.com>; Sun, 6 Apr 2014 15:50:31 -0700 (PDT)
Received: from mail1.bemta14.messagelabs.com (mail1.bemta14.messagelabs.com [193.109.254.115]) by ietfa.amsl.com (Postfix) with ESMTP id A2F531A02F0 for <ietf@ietf.org>; Sun, 6 Apr 2014 15:50:30 -0700 (PDT)
Received: from [193.109.255.147:40675] by server-11.bemta-14.messagelabs.com id 83/B2-09902-03AD1435; Sun, 06 Apr 2014 22:50:24 +0000
X-Env-Sender: l.wood@surrey.ac.uk
X-Msg-Ref: server-11.tower-72.messagelabs.com!1396824624!10451848!1
X-Originating-IP: [131.227.200.39]
X-StarScan-Received:
X-StarScan-Version: 6.11.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 9495 invoked from network); 6 Apr 2014 22:50:24 -0000
Received: from exht012p.surrey.ac.uk (HELO EXHT012P.surrey.ac.uk) (131.227.200.39) by server-11.tower-72.messagelabs.com with AES128-SHA encrypted SMTP; 6 Apr 2014 22:50:24 -0000
Received: from EXMB01CMS.surrey.ac.uk ([169.254.1.150]) by EXHT012P.surrey.ac.uk ([131.227.200.39]) with mapi; Sun, 6 Apr 2014 23:50:23 +0100
From: <l.wood@surrey.ac.uk>
To: <stephen.farrell@cs.tcd.ie>, <rwfranks@acm.org>
Date: Sun, 6 Apr 2014 23:49:59 +0100
Subject: RE: Security for various IETF services
Thread-Topic: Security for various IETF services
Thread-Index: Ac9R5VFfQ9yrlLCtQ66a/yfO4AYUnAABTiWQ
Message-ID: <290E20B455C66743BE178C5C84F1240847E779EEC3@EXMB01CMS.surrey.ac.uk>
References: <533D8A90.60309@cs.tcd.ie> <533EEF35.7070901@isdg.net> <CAKW6Ri5_Ty6rVsMTBKXEjC6r7Mg-o8pZoLQP+yJ4pBwqOF-nYw@mail.gmail.com> <533F0C7B.9090705@isdg.net> <CAKW6Ri699AuEOf-qf-iZ7vNdD7iEdF4uEnwX-HGB31EshJ_OXQ@mail.gmail.com> <53400355.7030807@isdg.net> <290E20B455C66743BE178C5C84F1240847E779EEBF@EXMB01CMS.surrey.ac.uk> <CAKW6Ri6jD4=pMdE_nsSnqyg6sKDT29_69_9jf=vfT2z6au7hNQ@mail.gmail.com>, <5341D122.6010002@cs.tcd.ie>
In-Reply-To: <5341D122.6010002@cs.tcd.ie>
Accept-Language: en-US, en-GB
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-GB
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/U0RWQ-7EoYSBlh4zBSzuA-ncQiU
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Apr 2014 22:50:35 -0000

> LLoyd's questions were answered IMO.

they weren't.

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: ietf [ietf-bounces@ietf.org] On Behalf Of Stephen Farrell [stephen.farrell@cs.tcd.ie]
Sent: 06 April 2014 23:11
To: Dick Franks
Cc: IETF Discussion
Subject: Re: Security for various IETF services

On 04/06/2014 08:27 PM, Dick Franks wrote:
> On 5 April 2014 14:40, <l.wood@surrey.ac.uk> wrote:
>
>> "I didn't see anything that stood out. Are you referring to his why
>> question?  Really?  It seems others answered why."
>>
>> they did not.
>>
>> Other noises off-stage are rrelevant
>
> The author(s) of the proposal MUST provide the threat model for each
> service and a reasoned argument why the proposed action mitigates the
> identified threat or threats.
>
> Engineering best practice demands no less.

I disagree. Asking for a threat model seems odd, since the
proposed IESG statement isn't specific to a particular service
and absent that you can't sensibly construct a threat model I
think.

> Transparent decision process demands no less.

I have no idea what's apparently opaque.

> Ignoring Lloyd Wood's question is not an option.

LLoyd's questions were answered IMO.

S..



>
>
> Dick Franks
>