[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments

To: "Smith, Donald" <Donald.Smith@qwest.com>
Subject: Re: comments
From: "George M. Jones" <gmjones@mitre.org>
Date: Mon, 16 Jun 2003 14:10:16 -0400
Cc: "'Dan Hollis '" <goemon@anime.net>, "'opsec@ops.ietf.org '"<opsec@ops.ietf.org>
References: <2D00AD0E4D36D411BD300008C786E4240D558E7E@Denntex021.qwest.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Smith, Donald wrote:

Your right anywhere you have a should if you REALLY want it
your going to have to say MUST. Vendors will at least try to implement all
the musts if we (collective community) demand complilence with this rfc.

Like I said, make a pass.   Tell me which you think should change.

I've tried to strike a balance.   Keep in mind that if someting is
too hard to implmenent, too costly or restricts functionality too
much, the whole set of requirements may be ignored.   The goal
is to specify a set of requirements that is both realistic and that
impoves the general state of security.

As for default passwords. I dont see that as a vendor issue.
Everything comes with defaults. The end user MUST change them.

So this is back to the knobs and settings question.   First, we want the
knobs to be there to enable secure configuration.    Second, we want
secure default configuraitons.

Passwords are clearly knobs.   The question is, how reasonable is it
to set them with secure defaults (e.g. random, per-unit passwords
maybe printed on the case, stored in the PROM, etc.) ?

---George Jones

Follow-Ups:
- Re: comments
  - From: ericb@digitaljunkyard.net

References:
- RE: comments
  - From: "Smith, Donald" <Donald.Smith@qwest.com>

Prev by Date: Re: comments
Next by Date: Re: comments
Previous by thread: Re: comments
Next by thread: Re: comments
Index(es):
- Date
- Thread