[Ach] Scope and audience
L. Aaron Kaplan
kaplan at cert.at
Mon Dec 16 10:54:46 CET 2013
On Dec 16, 2013, at 10:19 AM, Rainer Hoerbe <rainer at hoerbe.at> wrote:
> I praise the paper for having a clear and narrow scope that is very useful for sysadmins that have a good grasp on crypto but no time for following the discussion on ciphers etc. However, a possible pitfall is, that sysadmins, which are less enlightened with respect to crypto, may think that this link of the chain already delivers strong security on its own. So I would recommend that the reader should be guided to related topics that are required for good crypto as well.
> Rationale: In this paper the responsibilities of a sysadmin seem to be restricted to do a proper configuration of services. However, in many SMEs IT operation is quite versatile and sysadmins have a broad job description. Related processes and responsibilities should be named.
> Suggested change: Parts of what is already contained in the disclaimer could be phrased in positive words that induce actions. So it would make sense to include a “what else to consider” section in the background part, explaining the tasks and providing pointers. It could be a language like:
> == Other security considerations related to crypto ==
> It is vital to avoid any false sense of security that might be derived from properly configured cipher suites. While it is out of scope for this document to provide sufficient guidance on additional duties, system administrators should be aware of:
> * Key management (add a few sentences explaining protection, distribution, rollover)
> * Operations procedures (explain how to avoid that requirements for availability supersede security in unexpected or emergency incidents. This is rather psychological than technical)
> * Risk perspective (some text to help to choose the appropriate controls. When would one need to opt for VPN + HTTPS, or SMTP/TLS + S/MIME? When is browser-PKI good enough?)
> * Prevention of non-crypto attacks to crypto protocols
> * Secure client configuration (encrypted storage, browser pki, ..)
Makes sense, thanks for the input.
I intended to change the disclaimer yesterday but did not finish it.
I'll include your input.
> This should help the over-worked and under-cherished sysadmin to cover his back.
> Best regards
> Rainer Hörbe
> Ach mailing list
> Ach at lists.cert.at
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Ach