[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Last Look" at the RADIUS Design Guidelines document

To: Avi Lior <avi@bridgewatersystems.com>
Subject: Re: "Last Look" at the RADIUS Design Guidelines document
From: Alan DeKok <aland@deployingradius.com>
Date: Sun, 10 Jan 2010 11:41:39 +0100
Cc: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, Bernard Aboba <bernard_aboba@hotmail.com>, "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
In-reply-to: <0FDF9DA0-78B3-447C-BC12-385FC14BF395@bridgewatersystems.com>
References: <BLU137-DS775603F234B606AC3D29393930@phx.gbl> <AC1CFD94F59A264488DC2BEC3E890DE50951354E@xmb-sjc-225.amer.cisco.com> <4B2C8571.8020800@deployingradius.com> <AC1CFD94F59A264488DC2BEC3E890DE50951362C@xmb-sjc-225.amer.cisco.com> <03F83471-5AA6-4B7F-ABF9-EC2723601ACC@bridgewatersystems.com> <4B444BF2.5060908@deployingradius.com> <27FD2D38-1F47-46B9-B27D-73D6D4C2E4FF@bridgewatersystems.com> <4B44A4E9.4040103@deployingradius.com> <4E071056-BE1A-4825-8DC4-698D7BFC31EA@bridgewatersystems.com> <4B487AEB.10506@deployingradius.com> <0FDF9DA0-78B3-447C-BC12-385FC14BF395@bridgewatersystems.com>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

Avi Lior wrote:
> I still think it is silly  -  it is saying that a new things are buggy and potentially have security issues.
> 
> But so is the use of a new attribute using an existing data type.

  Again, the logical fallacy of "change is change, so all change has the
same risk".

>  But anyway if you insist on having some text about new data types then look at my changes.
...
> New text..... AND MOVE THIS TO THE SECURITY SECTION....
> 
> 2.1.4.  New Data types and Security
> 
>    The introduction of NEW data types brings the potential for the
>    introduction of new security vulnerabilities.

  That's true, though it encourages view that simple changes have the
same risk as complex ones.  This isn't true, and the existing text does
not have that problem.

> """ TAKE THE FOLLOWING TWO PARAGRAPHS OUT SINCE YOU ARE TALKING ABOUT RADIUS IN THIS DOCUMENT. """

  Those paragraphs talk about BCP for RADIUS.  (The word RADIUS appears
4 times in the two paragraphs).  If they ignored RADIUS, and only
discussed application-layer issues, I could see your point.

  But the text could arguably appear in the security section of the
document.  There's no compelling reason to keep it in the main body of
the document.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Avi Lior <avi@bridgewatersystems.com>
- RE: "Last Look" at the RADIUS Design Guidelines document
  - From: "Dave Nelson" <d.b.nelson@comcast.net>

References:
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Avi Lior <avi@bridgewatersystems.com>
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Alan DeKok <aland@deployingradius.com>
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Avi Lior <avi@bridgewatersystems.com>
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Alan DeKok <aland@deployingradius.com>
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Avi Lior <avi@bridgewatersystems.com>
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Alan DeKok <aland@deployingradius.com>
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Avi Lior <avi@bridgewatersystems.com>

Prev by Date: Re: "Last Look" at the RADIUS Design Guidelines document
Next by Date: RE: "Last Look" at the RADIUS Design Guidelines document
Previous by thread: Re: "Last Look" at the RADIUS Design Guidelines document
Next by thread: RE: "Last Look" at the RADIUS Design Guidelines document
Index(es):
- Date
- Thread