Melinda, Sorry to set you up. I did not read both drafts and did not indicate to include Zu's draft at all.
All my response is based on these debates. >[Dacheng Zhang:] >Maybe you misunderstood our points, we never try to argue the security >solutions other than key management should not be used, although we do >introduce how to use key management mechanisms to mitigate different >security issues [Zu Qiang] my point is that there is no other security mechanisms (except key management) have been discussed in the draft. It seems two people across each other in understanding. So I make the suggestion. If this is my wrong understanding, please ignore it. Regards, Lucy -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Melinda Shore Sent: Thursday, October 17, 2013 2:13 PM To: [email protected] Subject: Re: [nvo3] Commnets on draft-ietf-nvo3-security-requirements-00.txt On 10/17/13 10:50 AM, Lucy yong wrote: > [Zu Qiang] my point is that there is no other security mechanisms > (except key management) have been discussed in the draft. [ > Lucy] An > easy way to address this is to describe the key management as an > example only in the requirement draft. Thus it does not exclude other > security mechanisms. I'm sorry, but I do not understand this discussion at all. How keys are managed matters a lot (where "a lot" means "critically important") in terms of the overall security of the system. We are sloppy about it at our own peril. The assertion that nothing but key management is discussed in the working group draft is very clearly incorrect. I do not understand "we never try to argue the security solutions other than key management should not be used" because key management is not a security solution in the first place - it's a technology that's part of the overall security solution (not really fond of the word "solution", anyway). Too many of Zu's requirements are really squishy and not actually requirements, and the bottom line is that I wish he were working with the security document authors and posting text to the mailing list rather than posting a competing draft. But most of all I cannot believe that someone who writes "the NVO3 network security requirement draft shall allow additional security mechanisms other than key management" has read the working group draft. I apologize for being harsh but I don't think that posting a large document is a productive way to tackle deficiencies, real or perceived, in the working group draft, the suggestion that there's nothing in there but key management is clearly wrong, and the discussion about key management vs. other security mechanisms is both confused and confusing. Melinda _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
