Hi all,
On 2/10/25 6:17 PM, Jean Mahoney wrote:
Hi all,
First off, the RPC apologizes for not catching the lack of Security
Considerations in other IAB workshop documents (RFCs 9490, 9307, and
9075). As one of the editors of RFC 9490, I can only say that I noted
the lack of Security Considerations on our checklist, but I failed to
write a question about it to the authors.
On 2/6/25 10:15 PM, Suresh Krishnan wrote:
Hi Mirja,
My read from the meeting mostly similar to yours but slightly
different. The IAB was in agreement that a Security Considerations
section was not necessary for workshop reports, but there was also a
concern raised about this being seen as an exception being made for
the IAB given that RFC7322 requires this of all RFCs. If we want to
codify this exception we should probably take it up as a retreat topic.
[JM] Please note that the requirement for a Security Considerations
section goes back to RFC 1543 "Instructions to RFC Authors" [1]. The
inclusion of a Security Considerations section is considered an RFC
Series policy.
The RPC recommends that the recently added Security Considerations
section remain in RFC-to-be 9707, and that the discussion of the
applicability of the Security Considerations section take place on the
RSWG mailing list. There is already the concept of an "empty" Security
Considerations section ("This document does not impact the security of
the Internet"), which has been used in multiple RFCs. We could add
clearer guidance to rfc7322bis about the use of the "empty" Security
Considerations section, or perhaps there could be an update to RFC 3552
"Guidelines for Writing RFC Text on Security Considerations" [2].
[JM] I heard off list that I wasn't clear here, so I'll rephrase: All
RFCs must have a Security Considerations section. Any proposal to change
a policy such as this needs to be taken to the RSWG mailing list.
Best regards,
Jean
Best regards,
Jean
[1] https://www.rfc-editor.org/rfc/rfc1543#section-8
[2] https://www.rfc-editor.org/rfc/rfc3552
Regards
Suresh
On Feb 6, 2025, at 12:13 PM, Mirja Kuehlewind (IETF)
<i...@kuehlewind.net> wrote:
Hi Suresh, hi all,
Actually we discussed this yesterday at the IAB meeting and I thought
we agreed that we don’t want security considerations in workshop
reports.
Mirja
On 6. Feb 2025, at 18:01, Sandy Ginoza <sgin...@amsl.com> wrote:
Hi Suresh, Mirja,
Thank you for your replies. The document has been updated to
include the following as the Security Considerations text.
This document is a workshop report and does not impact the
security of the Internet.
Mirja, please let us know if any additional updates are needed or if
you approve the RFC for publication.
Thank you,
RFC Editor/sg
On Feb 5, 2025, at 8:11 PM, Suresh Krishnan
<suresh.krish...@gmail.com> wrote:
Hi Lynne,
As the document shepherd I am fine with skipping the Security
Considerations in this document, as has been done for some past
workshop reports. If you feel that special casing these sends out a
wrong message to the community I think we can add your proposed
boilerplate text and consistently do so for the future.
Thanks
Suresh
On Feb 3, 2025, at 11:53 AM, Lynne Bartholomew
<lbartholo...@staff.rfc-editor.org> wrote:
Hi, Mirja and *Suresh.
Mirja, checking in with you regarding the status of this
document. It appears that several questions remain open.
* Suresh, please note that in your capacity as Document Shepherd
we also need to hear from you regarding the Security
Considerations section and Mirja's comments below.
Please review and advise.
The latest files are posted here. Please refresh your browser:
https://www.rfc-editor.org/authors/rfc9707.txt
https://www.rfc-editor.org/authors/rfc9707.pdf
https://www.rfc-editor.org/authors/rfc9707.html
https://www.rfc-editor.org/authors/rfc9707.xml
https://www.rfc-editor.org/authors/rfc9707-diff.html
https://www.rfc-editor.org/authors/rfc9707-rfcdiff.html (side by
side)
https://www.rfc-editor.org/authors/rfc9707-auth48diff.html
https://www.rfc-editor.org/authors/rfc9707-auth48rfcdiff.html
(side by side)
https://www.rfc-editor.org/authors/rfc9707-lastdiff.html
https://www.rfc-editor.org/authors/rfc9707-lastrfcdiff.html (side
by side)
https://www.rfc-editor.org/authors/rfc9707-xmldiff1.html
https://www.rfc-editor.org/authors/rfc9707-xmldiff2.html
Thank you!
RFC Editor/lb
On Jan 21, 2025, at 7:32 AM, Mirja Kuehlewind (IETF)
<i...@kuehlewind.net> wrote:
On 8. Jan 2025, at 00:49, Sandy Ginoza <sgin...@amsl.com> wrote:
Hi all,
Please see comments below.
On Jan 7, 2025, at 9:45 AM, Lynne Bartholomew
<lbartholo...@amsl.com> wrote:
Mirja: I don’t think security considerations are useful for
workshop reports. All workshop reports that I’ve been involved
with did not have security considerations but I did see that
some other reports do. However, I assume they have mostly been
added during AUTH48 based on this kind of request.
Particularly just adding the sentence above is not useful and
I wouldn’t want to do that just for the sake for process. If
we want security consideration we should come up with real
ones but as I said I don’t think we should just add anything
to report in that respect. I think we should conclude with the
IAB to not have security consideration for workshop reports in
general in future.
[rfced] Agreed that the section isn't necessary in this case,
but for the time being, we need to follow our current process,
which includes asking the Document Shepherd for approval.
The IAB document shepherd or IAB stream manager or maybe IAB chair?
That being said, would you like us to set precedent here by
removing the Security Considerations and asking the Document
Shepherd for approval of the new form?
RFC9490 (M-TEN), RFC9307 (AID), and RFC9075 (COVID) don’t have
security consideration. Yes, I’m an author on all of these,
however, just saying this one wouldn’t set the precedent.
Jumping in on this one - Security Considerations are required
per the RFC Style Guide (see https://www.rfc-editor.org/rfc/
rfc7322.html#section-4.8.5). We suggest the following:
This document is a workshop report and does not impact the
security of the Internet.
I’d be fine with that and in this case we should just use this
exact same phrasing for all reports in my opinion.
If the IAB would like to discuss special handling for IAB
workshop reports, we prefer having the discussion outside of an
AUTH48. Please let us know if the text above is acceptable.
Yes, we can’t decide this for good in the auth48 process,
however, we could simply add a short item to the next IAB call. I
don’t think this would need a long discussion…
Mirja
Thanks,
Sandy
--
auth48archive mailing list -- auth48archive@rfc-editor.org
To unsubscribe send an email to auth48archive-le...@rfc-editor.org
