Re: Less is more

[Neal Ziring <nziring@thecouch.ncsc.mil>]

George and everyone,

> On the theory that "less is more", I'm considering dropping a number
> of the requirements that are not clearly in the BCP camp.  In the TOC
> below (from the -01 doc,
> http://www.port111.com/opsec/draft-jones-opsec-01.txt, still waiting
> on I-D editor to publish on IETF site), I've marked the ones that will
> stay with a "B" (BCP) in first column, and the ones that will go with
> an "O" (Other).
I've examined your designated sets of 'B' and 'O' items.  I
think that most of the 'O' items can be dropped or moved to a
separate document and still leave the main BCP document viable.

However, I'm concerned about harmonization with the ANSI T1M1
specification.  In particular, it seems that dropping the
following items might it too easy for a device to meet our
Opsec requirements but fail to satisfy T1M1.5/2003-007.


> O   2.11.1  Ability to Log All Events That Affect System Integrity . . 34
> O   2.11.4  Ability to Select Reliable Delivery  . . . . . . . . . . . 35
> O   2.12.11 Enforce Selection of Strong Local Static
> O           Authentication Tokens (Passwords)  . . . . . . . . . . . . 43
> O   2.12.12 Support Device-to-Device Authentication  . . . . . . . . . 43
In particular, I'm worried about 2.11.1.  It seems particularly
important, although I don't know of any vendor that does it yet.

That's all for now...

...nz