opsec BoF summary

[Steve Bellovin <smb@research.att.com>]

I think the BoF went very well.  The reviewers -- Dave Harrington, Dave 
Meyer, Dan Romascanu, Fred Baker, and Pekka Savola, with Ross Callon as 
chair -- were pretty consistent in their comments:  the document is 
basically very good (though some work is needed), and should be 
published soon.  However, turning it into a full-fledged BCP will be a 
lot of work; Fred in particular was quite vocal about that, based on 
his experience doing Router Requirements way back when.  Accordingly, 
the reviewers and the room agreed (strong consensus) that the document 
should be published soon as Informational.  There was, however, some 
unease about 2119-style language in an Informational document.

There was also strong consensus for follow-on documents, via an opsec 
working group.  This WG should produce the BCP version, but its form is 
unclear.

There was much less agreement on what those additional documents should 
be.  Some people suggested an Informational document with lists of 
features, and a set of per-environment BCPs specifying what features 
were applicable where.  But it's hard to figure out what environments 
we should cover.  Fred suggested a functional split instead -- features 
for availability, features for secure remote access, etc.  This will 
take considerable discussion on the mailing list.

Eliot Lear acted as Jabber scribe (using my laptop -- everything from 
<smb> is really from Eliot, and I thank him profusely).  You can find 
the log at http://www.xmpp.org/ietf-logs/opsec@ietf.xmpp.org/2004-03-01.html


		--Steve Bellovin, http://www.research.att.com/~smb