Re: Draft Security Policy

postel@venera.isi.edu Thu, 18 October 1990 03:00 UTC

Date: Wed, 17 Oct 1990 16:15:11 -0700
From: postel@venera.isi.edu
Posted-Date: Wed, 17 Oct 90 16:15:11 PDT
Message-Id: <9010172315.AA10859@bel.isi.edu>
To: psrg-interest@venera.isi.edu, rdp@cert.sei.cmu.edu, saag@tis.com, spwg@NRI.Reston.VA.US, ssphwg@NRI.Reston.VA.US
Subject: Re: Draft Security Policy
Status: O

Rich:

Hi.  I see no evidience that the following comments were processed.

I really am perplexed by the paragraph:

  Security is understood to include protection of the privacy of 
  information, protection of information against unauthorized 
  modification, protection of systems against denial of service, and 
  protection of systems against unauthorized access or use.  ["access" 
  covers unauthorized database lookup, for example; "use" covers 
  unauthorized logging in to a system.] 

I don't see where this "access" vs "use" distinction is made use of later,
and i don't see any difference in the supposed definitions.

--jon.

	Date: Tue, 9 Oct 90 15:08:00 PDT
	From: postel@ISI.EDU
	To: rdp@sei.cmu.edu
	Subject: re: revised security policy draft
	Cc: crocker@tis.com, iab@ISI.EDU, iesg@ISI.EDU


	Richard:

	1) i dont quite understand "['access' covers unauthorized database
	lookup, for example; 'use' covers unauthorized logging into a
	system.]".  Is a "database lookup" like (case 1) DNS query or a
	'whois' query, or is it like (case 2) searching for citations in
	a bibliographic data base or looking up flights in the OAG ?  I 
	can't imagine how case 1 like queries could be unauthorized, and
	i think all case 2 queries are really examples of "use".

	2) The appendix by James Van Bokkelen has already been published
	as RFC-1173.

	--jon.

Draft Security Policy Richard Pethia
Re: Draft Security Policy postel
Re: Draft Security Policy Steven Blair
Re: Draft Security Policy J Paul Holbrook
Re: Draft Security Policy Steven Blair
Re: Draft Security Policy Robert E. Van Cleef