[re: Internet Security Guidelines I-D FROM: Craig Partridge]

[James M Galvin <galvin@tis.com>]

Comments from Craig Partridge.

Jim

------- Forwarded Message

Message-ID: <9106180724.AA14000@garuda.sics.se>
Sender:     craig@sics.se
From:       Craig Partridge <craig@sics.se>
To:         Steve Kent <kent@bbn.com>
cc:         iab@ISI.EDU, ietf@ISI.EDU
Date:       Tue, 18 Jun 91 09:24:09 +0200
Subject:    re: Internet Security Guidelines I-D


Steve:

    I've got a comment.  I'm deeply distressed by the guidelines
which place responsibilities on the users without placing any responsibilities
on providers to notify users.  In my experience, some level of "abuse" is by
users who aren't told what's correct.  So I'd change item (3) from

> 3) Computer and network service providers are responsible
> for maintaining the security of the systems they operate.

to

+ 3) Computer and network service providers are responsible
+ for maintaining the security of the systems they operate
+ and for notifying users of their security policies
+ and any changes to their security policies.

Yes I know about the old saw "ignorance of the law is not a defense"
however, we have mechanisms in society at large to make people aware
of the laws they are living under (e.g. driver's tests, civics laws,
newspapers, etc.) -- we should make sure that a similar information
mechanism is available on networks.  (I note that Appendix A(i) mentions
this need, but I believe it must be stated more forcefully as an integral
part of the system).

Craig

------- End of Forwarded Message