Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.toronto.edu!ietf-distribution-owner
Message-ID: <9106180724.AA14000@garuda.sics.se>
Original-To: Steve Kent <kent@bbn.com>
Original-Cc: iab@ISI.EDU, ietf@ISI.EDU
Subject: re: Internet Security Guidelines I-D
From: craig@sics.se (Craig Partridge)
Date: Tue, 18 Jun 1991 03:24:09 -0400
Sender: craig@sics.se
Newsgroups: list.ietf
Distribution: list
Sender: list-admin@cs.toronto.edu
Approved: list.ietf@mail.cs.toronto.edu
Lines:       27


Steve:

    I've got a comment.  I'm deeply distressed by the guidelines
which place responsibilities on the users without placing any responsibilities
on providers to notify users.  In my experience, some level of "abuse" is by
users who aren't told what's correct.  So I'd change item (3) from

> 3) Computer and network service providers are responsible
> for maintaining the security of the systems they operate.

to

+ 3) Computer and network service providers are responsible
+ for maintaining the security of the systems they operate
+ and for notifying users of their security policies
+ and any changes to their security policies.

Yes I know about the old saw "ignorance of the law is not a defense"
however, we have mechanisms in society at large to make people aware
of the laws they are living under (e.g. driver's tests, civics laws,
newspapers, etc.) -- we should make sure that a similar information
mechanism is available on networks.  (I note that Appendix A(i) mentions
this need, but I believe it must be stated more forcefully as an integral
part of the system).

Craig