Discussion:
[iri] #107: Clarify requirement for security considerations
iri issue tracker
2011-11-17 02:15:56 UTC
Permalink
#107: Clarify requirement for security considerations

Section 4 (Guidelines for Provisional URI/IRI Scheme Registration) allows
registration by third parties (even if not
on behalf of those who created the scheme). While many of the required
pieces of information are "SHOULD"s, it says:
"A valid Security Considerations section, as required by Section 6
of [RFC5226]."

If the third party does not have access to the spec (e.g., because it's
owned by an SDO or company without an open spec), the third party may not
be able to write a "valid" security considerations section. I ran into
this personally.

Need to either make it a SHOULD, or else clarify what is needed in a
"valid" section.
--
-----------------------------+---------------------------------------------
Reporter: dthaler@… | Owner: draft-ietf-iri-4395bis-irireg@…
Type: defect | Status: new
Priority: major | Milestone:
Component: 4395bis-irireg | Version:
Severity: Active WG | Keywords:
Document |
-----------------------------+---------------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/iri/trac/ticket/107>
iri <http://tools.ietf.org/wg/iri/>
Peter Saint-Andre
2011-12-09 18:41:33 UTC
Permalink
<hat type='individual'/>
Post by iri issue tracker
#107: Clarify requirement for security considerations
Section 4 (Guidelines for Provisional URI/IRI Scheme Registration) allows
registration by third parties (even if not
on behalf of those who created the scheme). While many of the required
"A valid Security Considerations section, as required by Section 6
of [RFC5226]."
If the third party does not have access to the spec (e.g., because it's
owned by an SDO or company without an open spec), the third party may not
be able to write a "valid" security considerations section. I ran into
this personally.
Need to either make it a SHOULD, or else clarify what is needed in a
"valid" section.
As I recall from the meeting in Taipei, we decided that it was valid to
say "unknown, use at your own risk".

Peter
--
Peter Saint-Andre
https://stpeter.im/
Chris Weber
2011-12-10 20:20:56 UTC
Permalink
Post by Peter Saint-Andre
<hat type='individual'/>
Post by iri issue tracker
#107: Clarify requirement for security considerations
Section 4 (Guidelines for Provisional URI/IRI Scheme Registration) allows
registration by third parties (even if not
on behalf of those who created the scheme). While many of the required
"A valid Security Considerations section, as required by Section 6
of [RFC5226]."
If the third party does not have access to the spec (e.g., because it's
owned by an SDO or company without an open spec), the third party may not
be able to write a "valid" security considerations section. I ran into
this personally.
Need to either make it a SHOULD, or else clarify what is needed in a
"valid" section.
As I recall from the meeting in Taipei, we decided that it was valid to
say "unknown, use at your own risk".
Peter
So the consensus here would be to keep this REQUIRED, and add language
to Section 4 of 4395 that says something along the lines of:

When a valid Security Considerations section may not written, e.g.
because the specification is private and not open, then this section
should document that reason along with the advice - "security
considerations are unknown, use at your own risk."

Best regards,
Chris Weber
iri issue tracker
2011-12-14 01:42:25 UTC
Permalink
#107: Clarify requirement for security considerations

Changes (by masinter@…):

* status: new => closed
* resolution: => fixed


Comment:

Text changed:

The scheme definition SHOULD include a clear Security
Considerations
section (as with permanent scheme registrations<xref
target='secguide'/>)
or explain why a full security analysis is not available
(e.g., with
a third-party scheme registration).
--
----------------------------+----------------------------------------------
Reporter: dthaler@… | Owner: draft-ietf-iri-4395bis-irireg@…
Type: defect | Status: closed
Priority: major | Milestone:
Component: 4395bis-irireg | Version:
Severity: Active WG | Resolution: fixed
Document |
Keywords: |
----------------------------+----------------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/iri/trac/ticket/107#comment:1>
iri <http://tools.ietf.org/wg/iri/>
iri issue tracker
2011-12-14 01:51:52 UTC
Permalink
#107: Clarify requirement for security considerations


Comment (by masinter@…):

checking before submitting draft, I wound up rewriting this as:


The scheme definition SHOULD include a clear Security
Considerations
(<xref target='secguide'/>) or explain why a full security
analysis is not available (e.g., in a third-party
scheme registration).
--
----------------------------+----------------------------------------------
Reporter: dthaler@… | Owner: draft-ietf-iri-4395bis-irireg@…
Type: defect | Status: closed
Priority: major | Milestone:
Component: 4395bis-irireg | Version:
Severity: Active WG | Resolution: fixed
Document |
Keywords: |
----------------------------+----------------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/iri/trac/ticket/107#comment:2>
iri <http://tools.ietf.org/wg/iri/>
Peter Saint-Andre
2011-12-14 22:19:51 UTC
Permalink
Post by iri issue tracker
#107: Clarify requirement for security considerations
The scheme definition SHOULD include a clear Security
Considerations
(<xref target='secguide'/>) or explain why a full security
analysis is not available (e.g., in a third-party
scheme registration).
WFM, thanks.

Peter
--
Peter Saint-Andre
https://stpeter.im/
Loading...