[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-grip-isp-06.txt



Tom Killalea <tomk@neart.ie> écrit :
> 2.6 Communication and Authentication
> 
>    ISPs SHOULD have clear policies and procedures on the sharing of
>    information about a security incident with their customers, with
>    other ISPs or SIRTs, with law enforcement or with the press and
>    general public.
> 
>    ISPs SHOULD also be able to conduct such communication over a secure
>    channel.  Note, however, that in some jurisdictions secure channels
>    might not be permitted.

Two remarks on the last sentence:
1. By "secure channels" you mean "encrypted channels".
  In the current pratices of CIRTs, "secure channels" means "what the CIRT
  consider to be secure regarding its constituency".

2. I my country, encryption is not forbidden, for more than 40 bits, a request
  must be sent to the government to receive the authorization.


To sum-up, I propose :
  "ISPs SHOULD also be able to conduct such communication over a
  secure channel. Secure channels are defined in the CIRTs security policy.
  ISP's SHOULD use encryption to provide confidentiality.
  Note, however, that in some jurisdictions the use of encrypted channels
  might be restricted of not permitted."

Tristan Debeaupuis
-- 
Tristan.Debeaupuis@hsc.fr -=- Herve Schauer Consultants -=- TD1678