home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Info 1997 December
/
Internet_Info_CD-ROM_Walnut_Creek_December_1997.iso
/
ietf
/
spwg
/
spwg-minutes-91mar.txt
< prev
Wrap
Text File
|
1993-02-17
|
5KB
|
135 lines
CURRENT_MEETING_REPORT_
Reported by Richard Pethia/CERT
SPWG Minutes
The security policy Working Group (spwg) met during the Twentieth
Internet Engineering Task Force (IETF) meeting in St. Louis, on
Tuesday, March 12, 1991. The latest draft of the Proposed Security
Policy was presented and discussed.
Discussion during the meeting focused on two areas of concern: user
authentication and local security.
User Authentication
While there is general agreement that individual users should be held
accountable for their actions, there is not the same level of agreement
that all users should be unambiguously identified for all types of
Internet access.
Proponents of strong, mandatory, user authentication and access control
mechanisms point to problems caused by ``general use'' accounts and
``open'' (without password) terminal servers where individuals take
advantage of these open systems and use them as platforms to attack
(access without authorization) other Internet systems. This group
believes the use of simple user authentication and access control
mechanisms would significantly reduce the problem. Steve Wolff,
National Science Foundation (NSF), supported this position and indicated
that it is NSF's position that individual user authentication and
accountability should be required for access to NSFNET.
Opponents to this view believe enforced, unambiguous identification for
all Internet access would potentially restrict the utility of the
network (e.g., not allow a university library to set up ``open''
terminals that allow the university's students to browse the information
resource), or would place an administrative burden (e.g., issuing all
university students unique account names and passwords, and managing
those accounts and passwords) on sites that would be too expensive for
some sites to bear, or could, in some way, infringe on a person's
privacy by collecting data on the person's actions.
Rather than attempt to resolve the controversy at this point in time, it
was decided that the proposal would be changed to remove the phrases
that called for a ban on ``open'' servers and stress the importance of
individuals' accountability for their actions.
1
Local Security
Another area of concern was the elaboration section of item 3 (local
security). Included in this section was a listing of five elements
needed for good local security. This listing treated local security in
greater depth than any other issue in the document. To balance the
discussion of issues, the list was removed from the body of the proposal
and included as an appendix. In addition, it was decided that two of
the elements listed would be modified according to suggestions and
comments received. The group discussed that there are trade-offs
between strict security and the usability of systems. A paragraph would
be added to touch on this subject.
Additional discussion centered around how the document would be used and
interpreted. Some people felt that since the title included the word
``policy'', it would be used as if it were legally enforceable. For
this reason the title of the document was changed to ``Guidelines for
the Secure Operation of the Internet''. Necessary changes within the
body of the document would be made to match the title change.
The group felt that it was necessary to push forward with the document.
Vint Cerf suggested that the nature of this document was unique within
the document collection of the IETF and that it would be helpful to have
it reviewed by the Internet Advisory Board (IAB). The IAB could then
advise the group as to how the document should be handled. To that end,
the following schedule was set.
March 18 Final draft completed
March 19 Draft emailed to internet-drafts@nri.reston.va.us
April 3 Document to be discussed during IAB
teleconference.
Whether or not the Working Group meets at the next IETF will be based
upon the outcome of the IAB's review of the document.
Attendees
Warren Benson wbenson@zeus.unomaha.edu
David Benton benton@bio.nlm.nih.gov
Randy Butler rbutler@ncsa.uiuc.edu
Vinton Cerf vcerf@NRI.Reston.VA.US
Martina Chan mchan@mot.com
Stephen Crocker crocker@tis.com
2
Jeffrey Edelheit edelheit@smiley.mitre.org
Fred Engel engel@concord.com
Barbara Fraser byf@cert.sei.cmu.edu
Neil Haller nmh@bellcore.com
Sergio Heker heker@jvnc.net
J. Paul Holbrook holbrook@cic.net
Philip Karn karn@thumper.bellcore.com
April Merrill
Richard Pethia rdp@cert.sei.cmu.edu
Robert Reschly reschly@brl.mil
Jeffrey Schiller jis@mit.edu
Tim Seaver tas@mcnc.org
Albert Soule als@sei.cmu.edu
Mike Turico mturico@mot.com
Daniel Weidman weidman@wudos2.wustl.edu
Stephen Wolff steve@nsf.gov
C. Philip Wood cpw@lanl.gov
Osmund deSouza desouza@osdpc.ho.att.com
3