On 10/17/13 10:50 AM, Lucy yong wrote: > [Zu Qiang] my point is that there is no other security mechanisms > (except key management) have been discussed in the draft. [
> Lucy] An > easy way to address this is to describe the key management as an > example only in the requirement draft. Thus it does not exclude other > security mechanisms. I'm sorry, but I do not understand this discussion at all. How keys are managed matters a lot (where "a lot" means "critically important") in terms of the overall security of the system. We are sloppy about it at our own peril. The assertion that nothing but key management is discussed in the working group draft is very clearly incorrect. I do not understand "we never try to argue the security solutions other than key management should not be used" because key management is not a security solution in the first place - it's a technology that's part of the overall security solution (not really fond of the word "solution", anyway). Too many of Zu's requirements are really squishy and not actually requirements, and the bottom line is that I wish he were working with the security document authors and posting text to the mailing list rather than posting a competing draft. But most of all I cannot believe that someone who writes "the NVO3 network security requirement draft shall allow additional security mechanisms other than key management" has read the working group draft. I apologize for being harsh but I don't think that posting a large document is a productive way to tackle deficiencies, real or perceived, in the working group draft, the suggestion that there's nothing in there but key management is clearly wrong, and the discussion about key management vs. other security mechanisms is both confused and confusing. Melinda _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
