IETF Logo Mail Archive

Re: [MIB-DOCTORS] Change the boilerplate - Alissa's DISCUSS

"ietfdbh" <ietfdbh@comcast.net> Fri, 11 July 2014 03:34 UTC

Return-Path: <ietfdbh@comcast.net>
X-Original-To: mib-doctors@ietfa.amsl.com
Delivered-To: mib-doctors@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A40071A0417 for <mib-doctors@ietfa.amsl.com>; Thu, 10 Jul 2014 20:34:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Level:
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vyImQG5YV-Fb for <mib-doctors@ietfa.amsl.com>; Thu, 10 Jul 2014 20:34:16 -0700 (PDT)
Received: from qmta03.westchester.pa.mail.comcast.net (qmta03.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:32]) by ietfa.amsl.com (Postfix) with ESMTP id 8A7461A0403 for <mib-doctors@ietf.org>; Thu, 10 Jul 2014 20:34:16 -0700 (PDT)
Received: from omta15.westchester.pa.mail.comcast.net ([76.96.62.87]) by qmta03.westchester.pa.mail.comcast.net with comcast id QrNm1o0011swQuc53raGJx; Fri, 11 Jul 2014 03:34:16 +0000
Received: from JV6RVH1 ([67.189.237.137]) by omta15.westchester.pa.mail.comcast.net with comcast id QraF1o00Q2yZEBF3braFba; Fri, 11 Jul 2014 03:34:16 +0000
From: ietfdbh <ietfdbh@comcast.net>
To: 'Alissa Cooper' <alissa@cooperw.in>, 'Juergen Schoenwaelder' <j.schoenwaelder@jacobs-university.de>, 'Benoit Claise' <bclaise@cisco.com>
References: <CFE17DDA.458C3%alissa@cooperw.in> <53BC5081.6090809@cisco.com> <53BD6690.2040102@cisco.com> <53BE3D7E.2090302@bwijnen.net> <9904FB1B0159DA42B0B887B7FA8119CA5C83CC03@AZ-FFEXMB04.global.avaya.com> <53BE9F74.9080705@cisco.com> <20140710151138.GB90581@elstar.local> <CFE3FCE9.45FFF%alissa@cooperw.in>
In-Reply-To: <CFE3FCE9.45FFF%alissa@cooperw.in>
Date: Thu, 10 Jul 2014 23:34:14 -0400
Message-ID: <03b701cf9cb8$fce056f0$f6a104d0$@comcast.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFl8rZKGe1/GoUrOyAIbnSi/UNwbgJVJfCQAeLZGl0Bnx6yJAI0KPZzAi+DyFYBjLkK6gEvfGyqnAXUgAA=
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1405049656; bh=AOkqHWw98ByC1jqfaUYzn4rDR0bb/JMevalBKQv4VPE=; h=Received:Received:From:To:Subject:Date:Message-ID:MIME-Version: Content-Type; b=P/sUzbFZoAt3reTyq/w8OZi7AbtMNjeX5vC21xMrMyg9DUMKrMoo9OvEwhqy3+RWj 2kMN/mnSysElHbqMZJLkBeN+K+vbB/d/9E0JMVRdK3baHlN3aHXo1WmzlkSPbISwyp Hyj/wqHL91OORxVFNPzcGTgWaCWZ3f9H6TK72XeQWwUPvYMhbiwPtnorh34nuCVbHm ooZ/sR3qyZjlNH5iLP5kTLlPaXs3sWZYSs1dDYEH6gaZGsEyxTohUwAqZWtUU5uu3b 4I8Ik5wz++ea5wpQcog+/iLQAfM2Qw9/aHXLfmDXvZR8JJmH/4mZgQss05kpWcDsiH 3rzl5TF+K/1Og==
Archived-At: http://mailarchive.ietf.org/arch/msg/mib-doctors/2NQF_XPEr_3X67uTTZ4BzgvSD7o
Cc: 'Adrian Farrel' <adrian@olddog.co.uk>, sec-ads@tools.ietf.org, "'MIB Doctors (E-mail)'" <mib-doctors@ietf.org>
Subject: Re: [MIB-DOCTORS] Change the boilerplate - Alissa's DISCUSS
X-BeenThere: mib-doctors@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: MIB Doctors list <mib-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mib-doctors/>
List-Post: <mailto:mib-doctors@ietf.org>
List-Help: <mailto:mib-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jul 2014 03:34:18 -0000

" adding a special section or extra text to discuss privacy
concerns in the IoT-related documents is the right way to go."

+1

David Harrington
ietfdbh@comcast.net
+1-603-828-1401

> -----Original Message-----
> From: MIB-DOCTORS [mailto:mib-doctors-bounces@ietf.org] On Behalf Of
> Alissa Cooper
> Sent: Thursday, July 10, 2014 11:28 AM
> To: Juergen Schoenwaelder; Benoit Claise
> Cc: Adrian Farrel; sec-ads@tools.ietf.org; MIB Doctors (E-mail)
> Subject: Re: [MIB-DOCTORS] Change the boilerplate - Alissa's DISCUSS
> 
> Perhaps rather than re-discussing the boilerplate, we could discuss what
> the purpose of the boilerplate is.
> 
> If the purpose of the boilerplate is to provide text that authors can look
> at and say, “yes, in the case of this document, the boilerplate fully
> covers the security considerations of the MIB being specified,” then I
> think it’s a great thing to have. If the purpose of the boilerplate is to
> keep any additional security consideration not covered in the boilerplate
> from being addressed in a MIB document, then it seems overly constricting.
> 
> Security considerations change over time. I’m assuming that home/device
> energy monitoring wasn’t really top of mind when SNMP was developed or
> when the boilerplate was originally written. So it’s not surprising that
> new security issues are arising that aren’t addressed within the
> boilerplate. If the boilerplate were just a suggestion of text and not a
> limitation on what can be documented, we could accommodate the changing
> times fairly easily.
> 
> In my original DISCUSS, all I suggested was text that could be provided in
> addition to the boilerplate:
> 
> "In certain situations, energy and power monitoring can reveal sensitive
> information about individuals' activities and habits. Implementors of this
> specification should use appropriate privacy protections as discussed in
> Section 9 of RFC 6988 and monitoring of individuals and homes should only
> occur
> with proper authorization.”
> 
> I have not had time to look at Stephen’s comments but I agree with him and
> Bert that adding a special section or extra text to discuss privacy
> concerns in the IoT-related documents is the right way to go.
> 
> Alissa
> 
> 
> On 7/10/14, 8:11 AM, "Juergen Schoenwaelder"
> <j.schoenwaelder@jacobs-university.de> wrote:
> 
> >On Thu, Jul 10, 2014 at 04:13:08PM +0200, Benoit Claise wrote:
> >> Dear all,
> >>
> >> The email below refers to Alissa's DISCUSS
> >> See
> >>
> >>http://datatracker.ietf.org/doc/draft-ietf-eman-energy-monitoring-
> mib/bal
> >>lot/#alissa-cooper
> >>
> >> Alissa refers to this sentence in the boilerplate at
> >> http://trac.tools.ietf.org/area/ops/trac/wiki/mib-security
> >>
> >>         Implementations SHOULD provide the security features described
> >> by the
> >>         SNMPv3 framework (see [RFC3410]), and implementations claiming
> >> compliance
> >>         to the SNMPv3 standard MUST include full support for
> >> authentication and
> >>         privacy via the User-based Security Model (USM) [RFC3414] with
> >> the AES
> >>         cipher algorithm [RFC3826].
> >>
> >> From the discussion (Dan andBert's feedback, on top of mine) , it seems
> >> that there are valid reasons to keep a SHOULD here in the generic
> >> boilerplate.
> >>
> >> So what next?
> >> - Should we justify the reasons in the boiler plate
> >> - Should we  give some freedom in the boilerplate?
> >>
> >>         Implementations SHOULD provide the security features described
> >> by the
> >>         SNMPv3 framework (see [RFC3410]), and implementations claiming
> >> compliance
> >>         to the SNMPv3 standard MUST include full support for
> >> authentication and
> >>         privacy via the User-based Security Model (USM) [RFC3414] with
> >> the AES
> >>         cipher algorithm [RFC3826].
> >>
> >>         <if there are use cases where a MUST is required, described
> >> them here>
> >>
> >>   Now, I hope it will not be abused by Security ADs, requesting a MUST
> >> for every single MIB module.
> >> - Something else?
> >> - Stop writing MIB modules :-)
> >>
> >
> >Do nothing, re-discuss this every other year. ;-)
> >
> >/js
> >
> >--
> >Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> >Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
> >Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
> 
> 
> _______________________________________________
> MIB-DOCTORS mailing list
> MIB-DOCTORS@ietf.org
> https://www.ietf.org/mailman/listinfo/mib-doctors

v2.23.0 | Report a Bug | By Email