RE: Security Use Requirements

To: "Scott Bradner" <sob@harvard.edu>, <ips@ece.cmu.edu>
Subject: RE: Security Use Requirements
From: "Douglas Otis" <dotis@sanlight.net>
Date: Wed, 7 Feb 2001 13:17:38 -0800
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="iso-8859-1"
Importance: Normal
In-Reply-To: <200102071624.LAA23742@newdev.harvard.edu>
Sender: owner-ips@ece.cmu.edu

Scott,

If there is 'required to implement' security that is later found compromised
by a man in the middle or through a spoofing mechanism, would such a mandate
in the end ensure an open door for those familiar with this 'required to
provide' security weakness?  Could you recommend a security scheme that is
safe from this type of attack?

Could security mandates be limited to user authentication and authorization?
Compression-Encryptions passes are computationally expensive processes that
offer little benefit in many configurations.  If there is a mandated
security, cryptographic resources should be limited to authentication.  Yes,
I understand the present thinking is to have the SCSI device report
authorization.  This brings up the question, how does the SCSI device know
and what scheme is it using.  It would seem foolish to insist on a security
mandate than then level such a major hole in allowing security management.

Doug



> John asks:
> > That
> > is, it could be acceptable to have a gateway box included in the must
> > implement.
>
> how would this deal with the case where the "gateway box" is built into
> a device? (i.e. no seperate gateway box)
>
> Scott
>

References:
- RE: Security Use Requirements
  - From: Scott Bradner <sob@harvard.edu>

Prev by Date: RE: Security Use Requirements
Next by Date: RE: Security Use Requirements
Prev by thread: RE: Security Use Requirements
Next by thread: RE: Security Use Requirements
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:34 2001
6315 messages in chronological order