"Best practices" implementation guides have real value. We've seen them developed for specific application/platform deployment, and other organizations such as USENIX and SANS have shown there is a demand for them by the folks in the trenches. I agree that standards/protocols guides are much more uncommon; to what extent that is due to "out of scope" determination by the employers of standards developers is an open question.
But to reiterate: "best practices" guides with a security focus would be a valuable addition to the many efforts underway already. Inexpertly administrated resources will always be an issue, no matter the efforts ranging from random number generation through hardening of transport and data exchange. Walter Walter Pienciak Senior Manager, Technology Community, IEEE Standards Association [email protected] +1 303 527 0934 On Wed, Jan 29, 2014 at 10:11 AM, Phillip Hallam-Baker <[email protected]>wrote: > If we are going to secure the net we need more than specifications, we > need running code and configurations to match. > > Right now the problems caused by us using SHA1 are vastly less than the > problems caused by systems that are just terribly configured or don't make > the right security checks. > > I have an exploit that lets me dump out usernames and passwords enclair > from certain applications despite the apparent use of 'security' because > most of the clients and many of the servers out there are not configured > right. But it does not currently even merit a CERT advisory because it > isn't a bug in the code or the specification, it is a configuration failure. > > > So here is the proposal, IETF and W3C develop a series of profiles for how > to lock down a service (Web, mail, chat) that provide specific security > protections against specified attacks. The suite would also include > profiles for backbone, datacenter providers etc. > > These profiles can then form the basis for a range of security services > that can be fulfilled by providers as appropriate to the needs of the > clients. > > So for example, Comodo and the other CAs and some of the DNS registrars > can pitch in on the retail end and provide 'off the shelf' services that > are locked down to a calibrated security profile. Then at the other end of > the scale very large enterprises with a designated CISO would call in the > likes of big consulting companies to deploy. > > There would also be business opportunities for independent consultants. In > fact I am not sure that the retail model is going to be viable unless I can > tell an unprofitable customer that their needs are beyond what the flat > service fee model can support and they need to contact an independent > contractor. > > > This is of course something the industry has traditionally looked to NIST > to provide. But lets face it, that model is dead. It might be five years > before we can get people in a room together. Meanwhile we face real threats. > > I see a number of questions here, one of which is what the appropriate > venue is. Another is what community should be involved. While this probably > needs to be an IETF or W3C activity it need not necessarily take place at > IETF meetings. A technical session lumped onto the front of Blackhat while > the admin type folk are in the training sessions might well be a better > venue. We probably want to follow up on Jim Getty's advice to connect to > the Linux Plumbers. > > Security protocol designers are not the best folk for finding holes > because most of the holes are created by people doing stuff that is just so > stupid most of us would never think to do it. > > But the work does need to be done somewhere and it needs to be an open, > unencumbered specification that draws on open standards. > > -- > Website: http://hallambaker.com/ > > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass > >
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
