Paul Hoffman wrote:
At 6:07 PM -0800 1/22/10, David Conrad wrote:
Operationally, people will do what they think is appropriate regardless of what is
written in an RFC. In some version of an ideal world, folks who care about "doing
the right thing" could point to an RFC and ask vendors if they implement that RFC
(pre
suming the RFC describes doing the right thing). I don't fully get why it
makes sense to dumb down RFCs in this context, but I'm sure it's because I'm
missing something.
You are. People will tell operators "an RFC exists that covers your operation, so
you must follow it". We see that all the time in the IETF in general, and I believe
at least one person said it at the mic at the DNSOP WG in Dublin.
Thus, we really want our operational RFCs to reflect the widest range of best practices
that are actually considered "best". If we get lazy and just list one scenario,
we will be hurting the Internet by restricting some organizations to following one mo
del when another might have made more sense for them.
Then, you perpetuate the IT security paradigm where the operator
complies to an auditable specifications-based operations guide, but the
attackers are given opportunities to pass through the cracks.
That's because a given (operational) instance applies a single scenario
that is unique and never fully examined: the RFC approach with multiple
scenarios fails to provide a full analysis opportunity for any single
one (that would be obviously out of scope in some aspects).
For instance, full review of an operational plan requires disclosure of
internal security measures (around personnel turnover) that are not
typically subject to formalization in a form suitable for IT security
analysis.
I don't have an answer for this paradox.
Regards,
- Thierry Moreau
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop