[ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]

[Stephen Farrell]

>> 5.  Derived Requirements
>
>
> This section is incomplete, but was added in response to a specific  
> request.  It makes sense to me because we're doing this before the  WG 
> takes up the base and SSP drafts.  To some extent we get to  define 
> what's in the threat analysis document, so if there is  consensus (and 
> agreement from the chairs) that we don't need this  section, I'll make 
> it go away.

Well, I'm not so sure about that, since that section could be useful
later on.

The idea is that that section would contain whatever security (or
other I guess) requirements that we derive whilst doing the threat
analysis. Then when we're about at last call on the standards track
documents, we can check back and see if that document meets the
relevant requirements derived from the threat analysis. If it does,
fine. If not, then we should justify the divergence or fix something.

I'd personally rather we tried this and if its not turning out to
be useful (i.e. if we can't fairly easily derive some testable
requirements) then at that point we can delete the section or put
in some text as to why we're not deriving requirements.

Stephen.

PS: The charter does say we'll do/try this too.