Re: [secdir] Feedback about secdir reviews
David Harrington <ietfdbh@comcast.net> Mon, 26 March 2012 09:02 UTC
Return-Path: <ietfdbh@comcast.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2677421F84F6 for <secdir@ietfa.amsl.com>; Mon, 26 Mar 2012 02:02:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.462
X-Spam-Level:
X-Spam-Status: No, score=-102.462 tagged_above=-999 required=5 tests=[AWL=-0.137, BAYES_00=-2.599, DATE_IN_FUTURE_03_06=0.274, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kbe88+gorC-7 for <secdir@ietfa.amsl.com>; Mon, 26 Mar 2012 02:01:54 -0700 (PDT)
Received: from qmta07.emeryville.ca.mail.comcast.net (qmta07.emeryville.ca.mail.comcast.net [76.96.30.64]) by ietfa.amsl.com (Postfix) with ESMTP id 7FC5121F854D for <secdir@ietf.org>; Mon, 26 Mar 2012 02:01:54 -0700 (PDT)
Received: from omta24.emeryville.ca.mail.comcast.net ([76.96.30.92]) by qmta07.emeryville.ca.mail.comcast.net with comcast id q8zy1i0031zF43QA791u8G; Mon, 26 Mar 2012 09:01:54 +0000
Received: from [130.129.17.13] ([130.129.17.13]) by omta24.emeryville.ca.mail.comcast.net with comcast id q91f1i00D0Gv34a8k91ifR; Mon, 26 Mar 2012 09:01:52 +0000
User-Agent: Microsoft-MacOutlook/14.14.0.111121
Date: Mon, 26 Mar 2012 11:01:37 -0400
From: David Harrington <ietfdbh@comcast.net>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "secdir@ietf.org" <secdir@ietf.org>
Message-ID: <CB95F0C8.20130%ietfdbh@comcast.net>
Thread-Topic: [secdir] Feedback about secdir reviews
In-Reply-To: <4F7021BC.1010406@cs.tcd.ie>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: Re: [secdir] Feedback about secdir reviews
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2012 09:02:17 -0000
Hi, I made some assumptions from that feedback during the IESG meeting given my experiences in non-sec areas. Many secdir reviewers have a strong security background, but the authors of reviewed documents don't necessarily have the same level of grokking security. Authors may not grok "authn+authz+integrity+confidentiality+access control+..." Authors certainly may not know the best current practices for achieving authn [+authz] [+integrity] [+confidentiality] ... There is an RFC to explain how to write a security considerations section but the security considerations section example is HUGE - multi-pages of discussion. It might be really helpful to have a wiki that discusses common problems in security reviews, plus some suggestions of how to solve the common problems. And I recommend the wiki be updated as new problems are run across in document reviews. Being able to point authors to such a wiki might help. There is still the issue of the authors and Wgs not grokking security. Soemtimes the right answer is that the draft looks like it might have security issues, but actually doesn't introduce any new security problems, and a security person may be able to reach that conclusion fairly easily. But somebody that does not grok security needs to go learn all about security and trust domains and possible protocols and cryptosuites and so on to reach the same conclusion. They need advisors to help them work through the issues that may or may not be a problem. The authors of raqmon got a review that said they had issues to consider. It took something like eight months (IIRC) for them to learn about and consider each issue and determine that the problems cited in the review really didn't exist for their protocol spec. That leaves a pretty bad taste in people's mouths. My $.02 -- David Harrington Director, Transport Area Internet Engineering Task Force (IETF) Ietfdbh@comcast.net +1-603-828-1401 On 3/26/12 3:58 AM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote: > >Hi all, > >The IESG got some anonymized feedback today from the nomcom >process. > >Part of that was that authors were unsure as to how to react >to secdir reviews. And in particular, as to whether or not >to engage with the secdir reviewer. > >I know we have some boilerplate [1] that tries to handle this, >but it might be worth taking another look at that to see if >we can make it better. > >Something for the lunchtime session on Tuesday. > >Cheers, >S. > >[1] http://trac.tools.ietf.org/area/sec/trac/wiki/SecDirReview >_______________________________________________ >secdir mailing list >secdir@ietf.org >https://www.ietf.org/mailman/listinfo/secdir >wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
- [secdir] Feedback about secdir reviews Stephen Farrell
- Re: [secdir] Feedback about secdir reviews David Harrington
- Re: [secdir] Feedback about secdir reviews Paul Hoffman