Re: [secdir] secdir review of draft-ietf-i2rs-pub-sub-requirements-06

"Scott G. Kelly" <scott@hyperthought.com> Fri, 29 April 2016 21:35 UTC

Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 180AE12D1DD for <secdir@ietfa.amsl.com>; Fri, 29 Apr 2016 14:35:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZ8cMSs-2P6R for <secdir@ietfa.amsl.com>; Fri, 29 Apr 2016 14:35:01 -0700 (PDT)
Received: from smtp82.iad3a.emailsrvr.com (smtp82.iad3a.emailsrvr.com [173.203.187.82]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3365112D74A for <secdir@ietf.org>; Fri, 29 Apr 2016 14:35:00 -0700 (PDT)
Received: from smtp27.relay.iad3a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp27.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 430A8180556; Fri, 29 Apr 2016 17:34:59 -0400 (EDT)
Received: from app35.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp27.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 370D2180621; Fri, 29 Apr 2016 17:34:59 -0400 (EDT)
X-Sender-Id: scott@hyperthought.com
Received: from app35.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.5.4); Fri, 29 Apr 2016 17:34:59 -0400
Received: from hyperthought.com (localhost [127.0.0.1]) by app35.wa-webapps.iad3a (Postfix) with ESMTP id 278F5C12C9; Fri, 29 Apr 2016 17:34:59 -0400 (EDT)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Fri, 29 Apr 2016 14:34:59 -0700 (PDT)
Date: Fri, 29 Apr 2016 14:34:59 -0700 (PDT)
From: "Scott G. Kelly" <scott@hyperthought.com>
To: "=?utf-8?Q?Eric_Voit_=28evoit=29?=" <evoit@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
In-Reply-To: <0f8b409c6018417eab61ea7ccb9f549c@XCH-RTP-013.cisco.com>
References: <1461805744.570422143@apps.rackspace.com> <0f8b409c6018417eab61ea7ccb9f549c@XCH-RTP-013.cisco.com>
X-Auth-ID: scott@hyperthought.com
Message-ID: <1461965699.159516487@apps.rackspace.com>
X-Mailer: webmail/12.4.1-RC
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/IgKcSbq7m6393MkOm9jCjV7OhaU>
Cc: "draft-ietf-i2rs-pub-sub-requirements.all@ietf.org" <draft-ietf-i2rs-pub-sub-requirements.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-i2rs-pub-sub-requirements-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2016 21:35:02 -0000

Hi Eric,

On Thursday, April 28, 2016 7:11am, "Eric Voit (evoit)" <evoit@cisco.com> said:

<trimmed for readability...>
 
> Hi Scott,
> 
> Section 2.1 provides multiple references to numbered requirements in three other
> i2rs documents:
> - [i2rs-usecase] draft-ietf-i2rs-usecase-reqs-summary
> - [i2rs-arch] draft-ietf-i2rs-architecture
> - [i2rs-traceability] draft-ietf-i2rs-traceability
> Some of these references are coupled to security uses.   Look to those referred
> documents for details.

Yes, you are right, those documents do provide related use cases and requirements rationale. Also of note: draft-ietf-i2rs-protocol-security-requirements.

Now I remember Sue Hares asking secdir for review help with this complex document set, and I can see why.

When I first looked at the protocol security requirements draft, I wondered if you should simply refer to that. I realize you are focusing only on YANG pub/sub requirements here, but maybe that is still worth considering.
 
If you choose to maintain security requirements in this document, I would suggest adopting a pattern similar that followed by draft-ietf-i2rs-protocol-security-requirements-03, and refer to the document(s)/numeric requirement(s) driving your MUSTs/SHOULDs. 

Thanks,

Scott