Re: [yam] [Fwd: [secdir] secdir review of draft-ietf-yam-rfc1652bis-03]

Ned Freed <ned.freed@mrochek.com> Mon, 08 March 2010 00:29 UTC

Return-Path: <ned.freed@mrochek.com>
X-Original-To: yam@core3.amsl.com
Delivered-To: yam@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42A2F3A67E7 for <yam@core3.amsl.com>; Sun, 7 Mar 2010 16:29:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UYAYGCJwPNHS for <yam@core3.amsl.com>; Sun, 7 Mar 2010 16:29:06 -0800 (PST)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.59.230.40]) by core3.amsl.com (Postfix) with ESMTP id 776AF3A676A for <yam@ietf.org>; Sun, 7 Mar 2010 16:29:06 -0800 (PST)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01NKH2XGLY9C00EOGL@mauve.mrochek.com> for yam@ietf.org; Sun, 7 Mar 2010 16:29:06 -0800 (PST)
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01NKGVOSVUCG00EMS2@mauve.mrochek.com>; Sun, 07 Mar 2010 16:29:03 -0800 (PST)
Message-id: <01NKH2XF2TO800EMS2@mauve.mrochek.com>
Date: Sun, 07 Mar 2010 16:22:55 -0800 (PST)
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Thu, 04 Mar 2010 16:54:11 -0500" <56D9734A7440776013CA8600@PST.JCK.COM>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=utf-8
References: <56D9734A7440776013CA8600@PST.JCK.COM>
To: John C Klensin <john-ietf@jck.com>
Cc: barryleiba@computer.org, dcrocker@bbiw.net, yam@ietf.org
Subject: Re: [yam] [Fwd: [secdir] secdir review of draft-ietf-yam-rfc1652bis-03]
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2010 00:29:07 -0000

> I concur with Barry.   I fear that the path Steve apparently
> wants to go down --as I understand it, to incorporate warnings
> in security considerations simply because a mechanism can be
> used to transfer bad stuff -- leads to madness.   But I'm happy
> to have you discuss it with him to see if you, together, can
> find an acceptable basis for moving forward.

There are really two issues here. First is whether or not to attempt to address
this in 1652bis. Even if I were to agree that we should address this, it most
certainly doesn't belong in 1652bis, if for no other reason than nobody dealing
with this issue is going to look there for advice.

As for whether ot belongs in 5321bis/5322bis, I'm afraid I have to agree with
John: This is a path to madness, or more accurately, to a world where security
considerations contain so many obvious, irrelevant, or both issues that the
real issues specific to a given protcol or format simply get lost in all the
other noise. And this is not a path which, if followed, will improve overall
Internet security. To the extent it has an effect, if will be the opposite.

I also have to say I find the notion that a short security considerations
section is necessarily a bad one to be worth pushing back against. There are
plenty of protocols and extensions that do not introduce additional security
considerations. We even have a term for this: Good design.

				Ned