Browse Prior Art Database

Guidelines for Writing RFC Text on Security Considerations (RFC3552)

IP.com Disclosure Number: IPCOM000018642D
Original Publication Date: 2003-Jul-01
Included in the Prior Art Database: 2003-Jul-30

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

E. Rescorla: AUTHOR [+2]

Abstract

All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 3% of the total text.

Network Working Group                                        E. Rescorla

Request for Comments: 3552                                    RTFM, Inc.

BCP: 72                                                        B. Korver

Category: Best Current Practice                          Xythos Software

                                             Internet Architecture Board

                                                                     IAB

                                                               July 2003

       Guidelines for Writing RFC Text on Security Considerations

Status of this Memo

   This document specifies an Internet Best Current Practices for the

   Internet Community, and requests discussion and suggestions for

   improvements.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   All RFCs are required to have a Security Considerations section.

   Historically, such sections have been relatively weak.  This document

   provides guidelines to RFC authors on how to write a good Security

   Considerations section.

Table of Contents

   1. Introduction . . . . . . . . . . . . . . . . . . . . . . .   3

      1.1. Requirements. . . . . . . . . . . . . . . . . . . . .   3

   2. The Goals of Security. . . . . . . . . . . . . . . . . . .   3

      2.1. Communication Security. . . . . . . . . . . . . . . .   3

           2.1.1. Confidentiality. . . . . . . . . . . . . . . .   4

           2.1.2. Data Integrity . . . . . . . . . . . . . . . .   4

           2.1.3. Peer Entity authentication . . . . . . . . . .   4

      2.2. Non-Repudiation . . . . . . . . . . . . . . . . . . .   5

      2.3. Systems Security. . . . . . . . . . . . . . . . . . .   5

           2.3.1. Unauthorized Usage . . . . . . . . . . . . . .   6

           2.3.2. Inappropriate Usage. . . . . . . . . . . . . .   6

           2.3.3. Denial of Service. . . . . . . . . . . . . . .   6

   3. The Internet Threat Model. . . . . . . . . . . . . . . . .   6

      3.1. Limited Threat Models . . . . . . . . . . . . . . . .   7

      3.2. Passive Attacks . . . . . . . . . . . . . . . . . . .   7

           3.2.1. Confidentiality Violations . . . . . . . . . .   8

           3.2.2. Password Sniffing. . . . . . . . . . . . . . .   8

           3.2.3. Offline Cryptographic Attacks. . . . . . . . .   9

Rescorla & Korver        Best Current Practice                  [Page 1]

RFC 3552           Security Considerations Guide...