RFC 3552 (rfc3552) - Page 3 of 44


Guidelines for Writing RFC Text on Security Considerations



Alternative Format: Original Text Document



RFC 3552           Security Considerations Guidelines          July 2003


   Authors' Addresses. . . . . . . . . . . . . . . . . . . . . .  43
   Full Copyright Statement. . . . . . . . . . . . . . . . . . .  44

1. Introduction

   All RFCs are required by RFC 2223 to contain a Security
   Considerations section.  The purpose of this is both to encourage
   document authors to consider security in their designs and to inform
   the reader of relevant security issues.  This memo is intended to
   provide guidance to RFC authors in service of both ends.

   This document is structured in three parts.  The first is a
   combination security tutorial and definition of common terms; the
   second is a series of guidelines for writing Security Considerations;
   the third is a series of examples.

1.1. Requirements

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14, RFC 2119
   [KEYWORDS].

2. The Goals of Security

   Most people speak of security as if it were a single monolithic
   property of a protocol or system, however, upon reflection, one
   realizes that it is clearly not true.  Rather, security is a series
   of related but somewhat independent properties.  Not all of these
   properties are required for every application.

   We can loosely divide security goals into those related to protecting
   communications (COMMUNICATION SECURITY, also known as COMSEC) and
   those relating to protecting systems (ADMINISTRATIVE SECURITY or
   SYSTEM SECURITY).  Since communications are carried out by systems
   and access to systems is through communications channels, these goals
   obviously interlock, but they can also be independently provided.

2.1. Communication Security

   Different authors partition the goals of communication security
   differently.  The partitioning we've found most useful is to divide
   them into three major categories: CONFIDENTIALITY, DATA INTEGRITY and
   PEER ENTITY AUTHENTICATION.







Rescorla & Korver        Best Current Practice