Dave,
Dave Crocker wrote:
Folks,
Jim has put in quite a bit of effort on the Threat Analysis document.
Multiple iterations of a document, with revisions that are highly
responsive to community feedback, usually makes for a document that is
finished.
In the current case, I find myself entirely unclear how we will know
when it is *really* finished. Clearly it is not enough to simply run
out of comments and suggestions from participants. The current mailing
list discussion and issue-list management will satisfy the needs of the
mailing list participants.
However the document must satisfy the requirements of Security Area
experts. How will we know when we have accomplished that? I am not
aware of an explicit, stable reference against which we can target this
document.
With luck, my confusion is merely due to my having missed important
management and documentation actions. I sure hope so.
However the charter requires completing the threats document within
about 30 days and I see no way to claim that we are likely to meet that
milestone.
d/
ps. Please note that I am sending this to the WG, rather than -- for
example -- our Area Director. At the moment, my concern is what WE know
to be our task, rather than what he or his IESG colleagues might
describe it to be.
This is always tricky and the short answer is that we won't know since
there may always be a vulnerability that we didn't think about.
In a commercial environment, you basically decide how much to spend
and then spend that much (though some people might say otherwise:-)
However, the IESG did accept our milestones and if we can demonstrate
that we made a good faith and technically competent effort to do the
job, then I think we have as good a defense as you can get in this
case. That's a reason why getting comments on the threats draft is
important. Silence on this produces no evidence (nor btw would simple
acclaim).
The IESG may in fact find additional work is needed, say if they note
a threat we didn't spot, but that'd be to the good in the end (other
than the hopefully slight delay it might introduce).
So, for me, being able to show (via the I-D, issues list and mail
archive) that we've done a good job should be enough. We'll see though.
Stephen.
PS: And in any case, IESG members are smart enough to be able to raise
issues regardless, if that's what they want to do.
_______________________________________________
ietf-dkim mailing list
http://dkim.org