On Nov 17, 2011, at 10:01 AM, Randy Bush wrote: > hi russ, > >>>> Security compares what the state currently looks like to what the state >>>> should look like. >>> the problem is how does one know what the state of the system 'should' >>> look like? >> >> My understanding has always been that the point of any security system >> is provide a secure and verifiable indication of what the system should >> look like in order to compare current events against that standard. > > you have been saying that for years. and i understand your point. what > i have never understood is *how* you can tell how things 'should' be. > > so the current sidr proposals are for what we *know how to do.* they > are not perfect, but they are a radical improvement on the current > state. > > i am very open to clue on how to rigorously define how things 'should' > be, especially if it is rigorously testable given real world > constraints.
Maybe this discussion could be viewed as a good motivation for revisiting the requirements draft. It seems to me that these arguments (on both sides) could be viewed as the early stages of requirements analysis (RA). If we can all get on the same page (or maybe into the same chapter) about what we want to protect, then we can talk about how to do it. In the event we discover that we've carved out an unattainable requirement, we follow the exception back to RA and revisit the requirements. Software engineering... :) Eric _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
