[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Last Look" at the RADIUS Design Guidelines document



Avi Lior wrote:
> I still think it is silly  -  it is saying that a new things are buggy and potentially have security issues.
> 
> But so is the use of a new attribute using an existing data type.

  Again, the logical fallacy of "change is change, so all change has the
same risk".

>  But anyway if you insist on having some text about new data types then look at my changes.
...
> New text..... AND MOVE THIS TO THE SECURITY SECTION....
> 
> 2.1.4.  New Data types and Security
> 
>    The introduction of NEW data types brings the potential for the
>    introduction of new security vulnerabilities.

  That's true, though it encourages view that simple changes have the
same risk as complex ones.  This isn't true, and the existing text does
not have that problem.

> """ TAKE THE FOLLOWING TWO PARAGRAPHS OUT SINCE YOU ARE TALKING ABOUT RADIUS IN THIS DOCUMENT. """

  Those paragraphs talk about BCP for RADIUS.  (The word RADIUS appears
4 times in the two paragraphs).  If they ignored RADIUS, and only
discussed application-layer issues, I could see your point.

  But the text could arguably appear in the security section of the
document.  There's no compelling reason to keep it in the main body of
the document.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>