On 01/27/2012 03:46 PM, Peter Saint-Andre wrote:
On 1/19/12 9:02 AM, [email protected] wrote:
Hi Gabor,
Peter's comment : "I think it would be better to consider the various
threat levels and then decide how to provide reasonable protection against
them in a comprehensive way." makes sense.
It is unnecessary to specify requirements such as the need for OCSP in
case certificate based authentication is used etc.
Rather, lets specify a broader set of security requirements based on the
threat model and let the solution(s) decide what would be the best
approach for dealing with such security needs.
Typically, IETF protocols specify a baseline (e.g., minimum TLS version,
rules for cert checking) so that we can ensure basic interoperability.
Is there a reason why we would not do the same here?
I do hope not:-)
Also, not sure if the WG are treating privacy and security in
one go, but the charter does say;
"Robust privacy and security mechanisms are needed..."
So I also hope that gets considered. I don't see it in the current
reqs. draft but have not read that fully.
Cheers,
S
Peter
_______________________________________________
paws mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/paws
