+1
abbie
> -----Original Message-----
> From: Markus Hofmann [mailto:markus@xxxxxxxx]
> Sent: Saturday, October 26, 2002 1:59 PM
> To: Oskar Batuner
> Cc: Penno, Reinaldo [BL60:0430:EXCH]; OPES Group
> Subject: Re: Some comments on draft-ietf-opes-threats-00
>
>
>
> Oskar Batuner wrote:
>
> >> b) Correct if I'm wrong here but it seems to me the (original?)
> >> idea of this document was to document the *additional/specific*
> >> security threats the addition of an OPES impose. The document as
> >> it stands today basically lists more or less all attacks known to
> >> man. [...]
> >
> > The problem you are pointing to does exist, but I hope it is
> > limited to a few subsections in section 2, namely 2.1.1 - 2.1.5.
>
> I agree with both, the problem exists, in particular in Section 2.1.
> This section should be structured in a way that it talks only about
> network level threats *introduced by the new OPES components*, rather
> then explaining tnetwork level threats in general.
>
> Example in Section 2.1.4: It isn't necessary to explain what
> eavesdropping is, and it isn't necessary to explain that this is an
> issue for transmitting information between a client and a server. But
> it is important to point out that the introduction of OPES processors
> and callout servers opens new possibilities for eavesdropping, namely
> on the link between OPES processor and callout server. This
> is a *new*
> threat compared to non-OPES environments, and has direct implications
> on the OPES requirements. The section - and the document in general -
> should focus on threats introduced by the new OPES elements, and
> explicitely spell those out.
>
> I think this can easily be fixed.
>
> -Markus
>
>