[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

intended audience for grip-isp



I think you should state very clearly who your intended audience is up
at the top of the document.  This will avoid people having to figure it
out.  If there is an appendix for end users, it should be pointed to in
this introductory paragraph.

We had some material in ssh-users about ISP considerations.  We removed
it in the draft before last as it was considered far too banal and not
really helpful.  If you have any points you would like to add to this
document regarding end-user considerations for ISPs please inform us
there (ssh@cert.org is the mailing list.)  The problem is that you must
basicly say:  "Your ISP must behave professionally and be competent to
administer a network with security in mind."  How is the end user to know
if this is being done?  All ISPs will surely *represent* themselves as
having secure, professional operations.

Erik Guttman

--------------------------------------------------------------------------
The context for my remarks is included below:
--------------------------------------------------------------------------

Nevil Brownlee wrote:
>>1) The starting point for this document was to give suggestions to
>>   Internet users as to what they should expect from their ISPs.
>>   You've expanded it into a much more detailed list, which is a
>>   little two-edged.
>>
>>   On the plus side, it gives ISPs (and those thinking about becoming
>>   ISPs) a very good list of things they need to think about. The second
>>   paragraph of the abstract clearly says the document is aimed at ISPs,
>>   and I agree that's what the Working Group is addressing.  
>>
>>   On the minus side, it's now too long and too complex for 'naive'
>>   users.  Perhaps it would be good to include an 'end-users checklist'
>>   as an appendix?  What do other people think about this?

Tom Killalea responded: 
>
>In considering the audience for this draft I looked at 4 groups:
>
>  1) ISPs
>
>  2) people who make purchasing decisions for Internet services for an
>     organisation, and the people at such organisations who take
>     responsibility for site security
>
>  3) end users at organisations
>
>  4) end users at home, etc.
>
>I decided to focus on 1 and 2, given that
>
>  - those two groups should be able (with the hellp of this document) to
>    speak the same language and discuss security expectations using a
>    common framework and terms of reference
>
>  - the interests of 3 should be represented by 2
>
>  - people in group 4 have very different needs and speak a very
>    different language, and  their interests should be better met by 
>    the SSH WG and specifically
>    ftp://ftp.ietf.org/internet-drafts/draft-ietf-ssh-users-03.txt
>
>The checklist idea is certainly worthy of more discussion.