Hi Marcelo - >>> i mean, we have discussed this point while writing this version >>> of the draft and our conclusion was that an implementation that >>> would do this would be really bogus so it was not worth >>> mentioning it in the draft... i mean, i am not sure we need to >>> describe how people should not shoot themselves in the foot in >>> various ways... >> >> Good point. Maybe the security considerations is a better place to >> discuss this. The security considerations should in any case >> discuss the issue of downbidding attacks IMO > > but all the document discuss security issues, so we could say that > all the document is security considerations (that is basically what > it says in the security considerations section...) > > I am not sure what is the usual approach for this type of documents > where all the content is security related... do they usually contain > a sort of summary in the security consideration section or do they > just mention that all the document is about security and that's it? > > i am ok with any of the approaches, just that this one was easier :-)
Hmm, the document first describes the deficiencies of today's CGA and then provides a solution. The Security Considerations section typically discusses any remaining security issues with the solution, or it explains why a typical threat that people might be concerned about does not apply. Since downbidding is such a typical threat, I thought that the Security Considerations should explain why the proposed solution is not vulnerable to it. But it's totally fine if you put the explanation elsewhere if that works better with the current draft structure. Best, - Christian -- Christian Vogt, Institute of Telematics, Universitaet Karlsruhe (TH) www.tm.uka.de/~chvogt/pubkey/ _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
