Re: opsec BoF summary

[George Jones <gmj@pobox.com>]

On Tue, 2 Mar 2004, Steve Bellovin wrote:

> I think the BoF went very well.  The reviewers -- Dave Harrington, Dave
> Meyer, Dan Romascanu, Fred Baker, and Pekka Savola, with Ross Callon as
> chair -- were pretty consistent in their comments:  the document is
> basically very good (though some work is needed), and should be
> published soon.  However, turning it into a full-fledged BCP will be a
> lot of work; Fred in particular was quite vocal about that, based on
> his experience doing Router Requirements way back when.  Accordingly,
> the reviewers and the room agreed (strong consensus) that the document
> should be published soon as Informational.

That being said, I'm going to get back to finishing the tracker
comments with the thought that it will be an info with strong
BCP leanings...i.e. I'm still going to word things as if it
were going to be a BCP.

I'm going to add prominant warnings near the front that it is not
normative and warning against using the entire doc as a single
checklist item...what it was from the beginning and still is is a list
of security features that operators of LARGE nets need to deploy
securely...  different environmants (e.g. nets that use OOB vs nets
that use In-band mgt) have different reqs.  People need to think about
their own reqs.  This doc is intended to help that process, not be a
replacement for evaluation of local needs.

If someone wants to wordsmith that, I'd be open to contributions.

  There was, however, some
> unease about 2119-style language in an Informational document.

I'd also be open to sugestions about what to do (if anything) about
the MUST/SHOULD/etc. language.

Thanks again...especially to the reviewers and those who have taken
the time to read and comment.

---George