RFC 3365 (rfc3365) - Page 2 of 8

Strong Security Requirements for Internet Engineering Task Force Standard Protocols

Alternative Format: Original Text Document
< Previous
Next >
RFC 3365            Encryption Security Requirements         August 2002


1.  Introduction

   The purpose of this document is to document the IETF consensus on
   security requirements for protocols as well as to provide the
   background and motivation for them.

   The Internet is a global network of independently managed networks
   and hosts.  As such there is no central authority responsible for the
   operation of the network.  There is no central authority responsible
   for the provision of security across the network either.

   Security needs to be provided end-to-end or host to host.  The IETF's
   security role is to ensure that IETF standard protocols have the
   necessary features to provide appropriate security for the
   application as it may be used across the Internet.  Mandatory to
   implement mechanisms should provide adequate security to protect
   sensitive business applications.

2.  Terminology

   Although we are not defining a protocol standard in this document we
   will use the terms MUST, MAY, SHOULD and friends in the ways defined
   by [RFC 2119].

3.  Security Services

   [RFC 2828] provides a comprehensive listing of internetwork security
   services and their definitions.  Here are three essential
   definitions:

   * Authentication service:  A security service that verifies an
     identity claimed by or for an entity, be it a process, computer
     system, or person.  At the internetwork layer, this includes
     verifying that a datagram came from where it purports to originate.
     At the application layer, this includes verifying that the entity
     performing an operation is who it claims to be.

   * Data confidentiality service:  A security service that protects
     data against unauthorized disclosure to unauthorized individuals or
     processes.  (Internet Standards Documents SHOULD NOT use "data
     confidentiality" as a synonym for "privacy", which is a different
     concept.  Privacy refers to the right of an entity, normally a
     person, acting in its own behalf, to determine the degree to which
     it will interact with its environment, including the degree to
     which the entity is willing to share information about itself with
     others.)





Schiller                 Best Current Practice
< Previous
Next >