[Re: Internet Security Guidelines I-D FROM: Steve Kent]

[James M Galvin <galvin@tis.com>]

For completeness.

Jim

------- Forwarded Message

Message-ID: <9106202242.AA23633@venera.isi.edu>
From:       Steve Kent <kent@BBN.COM>
To:         Craig Partridge <craig@sics.se>
cc:         iab@ISI.EDU, ietf@ISI.EDU
Date:       Thu, 20 Jun 91 18:33:25 -0400
Subject:    Re: Internet Security Guidelines I-D 

Craig,

	First, let me observe that the part of the policy guidelines
that caught your attention is one which I did not significantly
change, i.e., your objection was equally valid with regard to the text
approved by the IESG and sent to the IAB.  So, your comment should be
viewed as indicative of an oversight in the course of the prior IESG
review, not a comment about a revision as sent to the IESG by the IAB.

	Second, I agree with your concern, but note that the first
item in the Appendix of the document explicitly mentions site
responsibility for making local security policy known, I quote from
the original ID:

"(i)   There must be a clear statement of the local security policy, and
       this policy must be communicated to the users and other
       relevant parties.  The policy should be on file and available
       to users at all times, and should be communicated to users as
       part of providing access to the system."

	So, the question may be whether this warrents inclusion in one
of the top level guidelines as you suggest, or whether the discussion
in the Appendix suffices.  I have no objection to making this
consideration more prominent, but I'll leave it to the original
authors to perform the next round of edits.

Steve

------- End of Forwarded Message