spwg nits

["H. Craig McKee" <mckee@smiley.mitre.org>]

What follows might reasonably be considered a bunch of nit picks.  But
I read the paper carefully and had difficulty.

>Proper use of file protection
>mechanisms (e.g., access control lists) so as to define and maintain
>appropriate file access control is also part of this responsibility.

This is part of section 2 concerning user responsibilities.
It seems to me the primary responsibility for file access control
lies with the system administrator, not the user.  For example, the
administrator may set the UNIX default permissions at -rw-r----- and
instruct users that any other setting requires his permission.

========================================
>3) Computer and network service providers are responsible for
>maintaining the security of the systems they operate.
=======================================
>	Primary responsibility for security necessarily rests with
>the owners and operators of the subscriber components of the
>Internet, that is, host and local network administrators.
========================================
>   Sites and network operators are encouraged to
>   review this material and use it freely. 
==========================================
>   A vendor or system developer should evaluate each system in terms
>of security controls prior to the introduction of the system into the
>Internet community.  
==========================================
>5) Users, service providers and hardware and software vendors are
>expected to cooperate in the provision of security.

I offer a plea for consistent terminology.  Your paper names a bunch 
of entities, and (except for "user"), I'm not sure I know who they
all are.  

computer and network service providers
owners and operators ... that is, host and local network administrators
site and network operators
vendor and system developer
service providers and hardware and software vendors