CURRENT_MEETING_REPORT_


Reported by Richard Pethia/CERT

SPWG Minutes

The Security Policy Working Group (spwg) met to review the November 28,
1990 working draft Internet Security Policy Recommendations and to
identify the next steps in moving the recommendations forward.

Review

There was considerable discussion on the purpose of the document and on
the ability of the IETF, the IAB, or any other organization to enforce
Internet security policy.  As stated in the document:

``It is important to recognize that the voluntary nature of the Internet
system is both its strength and, perhaps, its most fragile aspect.
Rules of operation, like the rules of etiquette, are voluntary and,
largely, unenforceable, except where they happen to coincide with
national laws whose violation can lead to prosecution.''

``A common set of rules for the successful and increasingly secure
operation of the Internet can, at best, be voluntary, since the laws of
various countries are not uniform regarding data networking.  Indeed,
the recommended Internet Security Policy outlined below can also only be
voluntary.  However, since joining the Internet is optional, it is also
fair to argue that the Internet Rules of Behavior are part of the
bargain for joining and that failure to observe, apart from any legal
infrastructure available, are grounds for sanctions.''

Recognizing this, and recognizing the need to state a purpose for the
document, it was decided that:


   o The recommended policy serves as an enabling document.  It acts to
     encourage development of local policy and encourage consistency
     across the policies of different organizations.
   o It is a tool to heighten awareness of security issues and
     encourages improvements in Internet security.


The policy recommendation elaborates on six main points, and contains a
set of appendices that provide additional, relevant information.  The
six main points are:

                                   1






  1. Users are individually responsible for understanding and respecting
     the security rules of the systems they are using.  Users are
     individually accountable for their own behavior.
  2. Site and network service providers are responsible for maintaining
     the security of the systems they operate.
  3. Vendors and system developers are responsible for providing systems
     which are sound and have adequate security controls.
  4. Users have responsibility to use available mechanisms and
     procedures for protecting their own data, and they also have
     responsibility for assisting in the protection of the systems they
     use.
  5. Users, service providers and hardware and software vendors are
     expected to cooperate in the provision of security.
  6. Technical improvements in Internet security protocols should be
     sought on a continuing basis.


It was agreed that these six points generally cover all the pertinent
issues, but there may need to be some rewording, to promote consistency
in interpretation.  Elaborations should be modified/expanded to better
deal with the financial and operational realities of many organizations
(e.g., provide a discussion of techniques a site can use to establish a
24-hour security contact without increasing staff or significantly
increasing the budget).  Finally, it was suggested that the
recommendations be carefully reviewed to ensure they are not perceived
in a negative way (i.e., would not cause anyone to hesitate in
connecting to the Internet or cause existing sites to disconnect).

Next Steps

It was agreed that the next steps in advancing the recommendations
should be:


   o Revise the November 28, 1990 draft to incorporate review comments
     (targeted for completion before the end of January).
   o Disseminate for wider review and approval using standard IETF
     processes.
   o Deliver and present to selected audiences (e.g., regionals, sites,
     FARNET) for focused discussion and feedback.
   o Develop plan for packaging and broad dissemination (e.g., could be
     packaged along with acceptable use policy and distributed with new
     membership agreements.)



                                   2






Attendees

Ashok Agrawala           agrawala@cs.umd.edu
Vinton Cerf              vcerf@NRI.Reston.VA.US
Steve Crocker            crocker@tis.com
James Dray               dray@st1.ncsl.nist.gov
Fred Engel
Peter Ford               peter@lanl.gov
James Galvin             galvin@tis.com
Jack Hahn                hahn@umd5.umd.edu
Joel Jacobs              jdj@mitre.org
Dale Johnson             dsj@merit.edu
Darren Kinley            kinley@crim.ca
Mark Koro                koro@dockmaster.mil
William Kutz             Kutz@dockmaster.ncsc.mil
John Linn                linn@zendia.enet.dec.com
Daniel Long              long@bbn.com
Fred Ostapik             fred@nisc.sri.com
Richard Pethia           rdp@cert.sei.cmu.edu
Robert Reschly           reschly@brl.mil
Jeffrey Schiller         jis@mit.edu
Tim Seaver               tas@mcnc.org
Kannan Varadhan          kannan@oar.net
C. Philip Wood           cpw@lanl.gov



                                   3