Re: what is a threat analysis?

To: Brian E Carpenter <brc at zurich.ibm.com>
Subject: Re: what is a threat analysis?
From: Michael Thomas <mat at cisco.com>
Date: Tue, 16 Aug 2005 06:23:03 -0700
Authentication-results: imail.cisco.com; header.From=mat@cisco.com; dkim=pass ( message from cisco.com verified; );
Cc: ietf at ietf.org
Dkim-signature: a=rsa-sha1; q=dns; l=2143; t=1124198369; x=1124630569; c=nowsp; s=nebraska; h=Subject:From:Date:Content-Type:Content-Transfer-Encoding; d=cisco.com; i=mat@cisco.com; z=Subject:Re=3A=20what=20is=20a=20threat=20analysis?| From:Michael=20Thomas=20<mat@cisco.com>| Date:Tue,=2016=20Aug=202005=2006=3A23=3A03=20-0700| Content-Type:text/plain=3B=20charset=3DISO-8859-1=3B=20format=3Dflowed| Content-Transfer-Encoding:7bit; b=Uc0aB8xTV5RpFc3FqmSJJaGrIEJ30lhZtZDeoIrFYIhBgCRG4c4z5Fk6zbj1XSK8xC0a54oF 7J2svGHOwnjAMZZhHw9OiCwB61m2paDOvab8iWnIlxGK641BmGK3JT4Beu8991IGxj1yF9gxUya d+J9jZCy6WXmkOUh/iI6kxeE=
In-reply-to: <4301DB1B.8050300@zurich.ibm.com>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <42FA5884.9060103@cisco.com> <42FB1640.5020906@zurich.ibm.com> <42FB664A.60605@cisco.com> <01LRP7VL7OTW000092@mauve.mrochek.com> <4301DB1B.8050300@zurich.ibm.com>
Sender: ietf-bounces at ietf.org
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; rv:1.7.3) Gecko/20040913 Thunderbird/0.8 Mnenhy/0.7.2.0

Brian E Carpenter wrote:

Ned Freed wrote:

Brian E Carpenter wrote:
> Michael, you've had some quite concrete responses which I hope
> have clarified things, but I really want to say that making
> Internet protocols secure isn't a hoop jumping exercise; it's
> more like a survival requirement, and has been for ten years
> at least.
Where did I say that?
Of course you didn't, and the implication that you did say that was nothing but a strawman, a tactic I'm sad to say often seems to crop up in discussions on the IETF list.

Excuse *me* but Mike's note that I was responding to said (in part):

So, if this is going to be yet another hoop that the IESG and IAB
sends working groups through like problem statements, requirements
documents and the like, I think it ought to be incumbent on
those people demanding such things to actually both agree and
document what it is that they are demanding.

He explicitly raised the question of hoop jumping, which for me at
least carries a strong implication of pointlessness. That's what
I was responding to.


So you've fixated on the word "hoop". Fine. Delete it
and the original question still stands.

More recently he said:

Do you seriously think you could write a "threat analysis"
given the definition in 2828?

which reads
  "$ threat analysis
       (I) An analysis of the probability of occurrences and consequences
       of damaging actions to a system."

As a glossary definition, that seems admirably clear.


I repeat: could you write a threat analysis based upon the
definition in 2828? That was suggested by somebody as being
adequately defined for my original question.

For a complex case,
I'd expect to ask some experts for help in determining the type of
threats to be considered in particular. And I would study 3552 carefully,
warts and all. But the bottom line is that this is hard work to get
right - compare the Security Considerations of RFC 3056 with RFC 3964
for example.


The reason I brought this to this list is because there's
no clarity about what is meant by a "threat analysis", though
it seems to be cropping up more and more in the IETF process
(look ma! no hoops!). If it's going to be part of our process,
then I think its incumbent on those who want to impose the
process to be clear about what they're asking for, and for
that process to not be an idiosyncratic. The waste of time
here is not the process per se, but the work on drafts,
etc, that are not what the person making the demand is asking
for. Do you have an objection to clarity in process?

		Mike

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

References:
- what is a threat analysis?
  - From: Michael Thomas
- Re: what is a threat analysis?
  - From: Brian E Carpenter
- Re: what is a threat analysis?
  - From: Michael Thomas
- Re: what is a threat analysis?
  - From: Ned Freed
- Re: what is a threat analysis?
  - From: Brian E Carpenter

Prev by Date: Re: what is a threat analysis?
Next by Date: RE: what is a threat analysis?
Previous by thread: Re: what is a threat analysis?
Next by thread: Re: what is a threat analysis?
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: what is a threat analysis?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.