[Ach] Scope and audience

Rainer Hoerbe rainer at hoerbe.at
Mon Dec 16 10:19:22 CET 2013 

I praise the paper for having a clear and narrow scope that is very useful for sysadmins that have a good grasp on crypto but no time for following the discussion on ciphers etc. However, a possible pitfall is, that sysadmins, which are less enlightened with respect to crypto, may think that this link of the chain already delivers strong security on its own. So I would recommend that the reader should be guided to related topics that are required for good crypto as well.

Rationale: In this paper the responsibilities of a sysadmin seem to be restricted to do a proper configuration of services. However, in many SMEs IT operation is quite versatile and sysadmins have a broad job description. Related processes and responsibilities should  be named.

Suggested change: Parts of what is already contained in the disclaimer could be phrased in positive words that induce actions. So it would make sense to include a “what else to consider” section in the background part, explaining the tasks and providing pointers. It could be a language like:
 
== Other security considerations related to crypto ==
It is vital to avoid any false sense of security that might be derived from properly configured cipher suites. While it is out of scope for this document to provide sufficient guidance on additional duties, system administrators should be aware of:
* Key management (add a few sentences explaining protection, distribution, rollover)
* Operations procedures (explain how to avoid that requirements for availability supersede security in unexpected or emergency incidents. This is rather psychological than technical)
* Risk perspective (some text to help to choose the appropriate controls. When would one need to opt for VPN + HTTPS, or SMTP/TLS + S/MIME? When is browser-PKI good enough?)
* Prevention of non-crypto attacks to crypto protocols
* Secure client configuration (encrypted storage, browser pki, ..)



This should help the over-worked and under-cherished sysadmin to cover his back.

Best regards
Rainer Hörbe
http://www.linkedin.com/in/rainerhoerbe

More information about the Ach mailing list