[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Anne's comments on draft-04, 3/4: substance of main body

To: GRIP Working Group <grip-wg@UU.NET>
Subject: Anne's comments on draft-04, 3/4: substance of main body
From: Anne Bennett <anne@alcor.concordia.ca>
Date: Mon, 31 Mar 97 22:52:43 -0500
Comment: grip-wg mailing list add/drop requests to Majordomo@TransSys.COM
Reply-to: Anne Bennett <anne@alcor.concordia.ca>


Here are my comments about the substance of the document (about time,
eh?), based on my copy of the document after the application of my
two sets of fixes submitted earlier.


First of all, let me say, before I forget to do so because it seems so
obvious, that I *really* like this document.  I liked it in the first
incarnation I saw about a year ago, but it's much better now; I think
it's just about ready for publication (barring the still incomplete
"populated template", mea culpa...).  The recent changes have made it
very clear.  Congratulations to those who have worked so hard on it.

There are very few areas that I still see as needing attention (again
aside from appendix E, which will be the target of part 4 of my
remarks).  These are:


[Section 1, penultimate paragraph]
> outline template found in Appendix D.  This template can be used
> by constituents to elicit information from their SIRT, and it provides
> criteria with which to measure their team's performance.

   Does it really provide such criteria?  I think I see what you mean,
   in that having a description of services is a prerequisite to
   deciding whether the services have been provided successfully, but
   I think that this sentence may raise unreasonable expectations
   concerning the usefulness of the template.


[Section 2.1, 4th paragraph]
> As a SIRT provides a service to a this clearly defined constituency,
> it should communicate all necessary information about its policies
> and services in a suitable form.  It is important to understand that

  The first line is rather mangled, and I could not suggest a fix,
  since I was not quite sure what was meant.  Perhaps the first
  sentence should read:

    A SIRT should communicate all necessary information about its policies
    and services in a form suitable to the needs of its constituency.

  or

    The communication of all necessary information about a SIRT's
    policies and services in a form suitable to the needs of its
    constituency is itself an important service to that constituency.


[Section 2.3, penultimate paragraph]
> [...] Specific requirements
> (such as calling a specific number to check the authenticity
> of keys) should be clear from the start.  SIRT templates provide a
> standardized vehicle for delivering this information.

   (1) It is not clear whether the "specific requirements" are those
       that a SIRT promises to meet when transmitting information, or
       those that it imposes on its clients in order to accept
       reports, or what.

   (2) The example of calling a specific (telephone?) number is a bit
       weird: if the document giving this telephone number can be
       trusted, then why not just give the keys straight away?

   It is possible that my confusion about this section will be cleared
   up when I try to fill in that part of my template, in which case
   better text for the above sentence might suggest itself.


[Section 3, paragraph 2]
> [...] no recommendations are made as to what a SIRT should adopt for its
> policy or procedures, different possibilities are outlined to give some
> examples.  The most important thing is that a SIRT have a policy and that
> that those who interact with the SIRT be able to obtain and understand it.

   I'm quite hesitant about the last sentence.  In most of our
   document, while we refer vaguely to "policies and procedures", in
   the end we *list* the items of information which should be
   provided, and in particular we list in appendix D the various
   policy items which are relevant to the operation of the SIRT and
   which should be outlined in the SIRT description document.  So to
   suddenly read that the "most important thing is that a SIRT have a
   policy" sends me scrambling to look for "a policy" -- most
   distracting.  Since this sentence says nothing that has not been said
   multiple times elsewhere in the document, and since section 3.4
   explains policies in some detail, I'd recommend simply removing that
   sentence.


[Section 3.7]
> It should be noted that some forms of reporting or disclosure relating
> to specific incidents or vulnerabilities can also imply liability, and
> SIRTs should consider the inclusion of disclaimers in such material.

  For those of us who don't live in the USA and for whom all of these
  liabilities are a bit of a mystery... :-)  Do you mean that a SIRT
  might be held liable for wrecking the reputation of a company if it
  somehow leaks the identity of the company that was cracked?  Do you
  mean that if we describe a vulnerability and someone then uses it to
  break into a computer, that the victim might try to hold the SIRT
  responsible?  Anything else?


[Appendix C]
> [...] At the time of writing, more than 55 teams are
> members (1 in Australia, 13 in Europe, all others from America).
> Information about FIRST can be found:

  America?  Presumably you mean one of "the Americas", "North
  America", or "the United States of America" -- pick one and use it.
  Sorry to be snarky; I'm just an oversensitive Canadian. :-)


BTW, can we remove the section numbers from the appendices?



Anne.
-- 
Ms. Anne Bennett, Computing Services, Concordia University, Montreal H3G 1M8
anne@alcor.concordia.ca                                       (514) 848-7606

Prev by Date: Anne's comments on draft-04, 1/4: typos
Next by Date: Anne's comments on draft-04, 4/4: new populated template
Previous by thread: Anne's comments on draft-04, 1/4: typos
Next by thread: Anne's comments on draft-04, 4/4: new populated template
Index(es):
- Date
- Thread