[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Minion-design.pdf is submitted
On Thu, May 09, 2002 at 03:45:18PM -0400, Nick Mathewson wrote:
> On Thu, 2002-05-09 at 15:01, Len Sassaman wrote:
> > On Wed, 8 May 2002, Roger Dingledine wrote:
> > > * We need to start an actual spec. I'm not a spec person anymore, so I
> > > don't want to be the one leading that; but I'll read and give comments
> > > and answer questions. Nick will help, but he's too busy these days for
> > > me to just volunteer him. Anybody want to pick this up and run with it?
> Actually, I'm currently writing a draft spec for Wouter and George and
> everybody else to hack on.
Great! Looking forward to it very much.
> This won't be anything near the final draft, I hope. We still have a
> lot to discuss, a bunch of problems to solve, and a bunch of peer review
> to solicit. The point of the spec is to give would-be reviews a target.
> :)
Be careful what you ask for :-)
But seriously, having a spec would allow me to check whether I've
understood the ideas correctly.
> [...]
> > Are we gearing this toward being an IETF draft?
> In the long term, sure. Right now, we're just trying to get a
> well-defined, secure protocol. We're still far away, on both counts.
One thing that bothers me as when we go to the spec-stage is that specs
are good in describing the how, not the why. Especially RFC-style specs
promote describing mostly the behaviour of the nodes, so we are in
danger of losing the objectives and rationale (or in evaluation terms:
the security objectives and the mapping to the security functions that
implement them). Reverse enginering the objectives from the design and
retrofitting this mapping is fairly hard and makes for spectacular
faults when the ideas/requirements and spec start going out of sync.
I think that is dangerous for something as tricky as this.
Unfortunately, the only method I know of that (sort of) works is the
Common Criteria process with definition of a security target/protection
profile and associated tables. Problem with that method is that the CC
language is hard to read for those not regularly exposed to it so I'm
afraid that would be a mostly write-only effort. So, would updating
and/or adapting of something like
<URL:http://citeseer.nj.nec.com/iachello99uersoriented.html>
be usefull?
With kind regards,
Wouter
--
Wouter Slegers
Your Creative Solutions
"Security solutions you can trust and verify."