RFC 3365 (rfc3365) - Page 2 of 8
Strong Security Requirements for Internet Engineering Task Force Standard Protocols
Alternative Format: Original Text Document
RFC 3365 Encryption Security Requirements August 2002
1. Introduction
The purpose of this document is to document the IETF consensus on
security requirements for protocols as well as to provide the
background and motivation for them.
The Internet is a global network of independently managed networks
and hosts. As such there is no central authority responsible for the
operation of the network. There is no central authority responsible
for the provision of security across the network either.
Security needs to be provided end-to-end or host to host. The IETF's
security role is to ensure that IETF standard protocols have the
necessary features to provide appropriate security for the
application as it may be used across the Internet. Mandatory to
implement mechanisms should provide adequate security to protect
sensitive business applications.
2. Terminology
Although we are not defining a protocol standard in this document we
will use the terms MUST, MAY, SHOULD and friends in the ways defined
by [RFC 2119].
3. Security Services
[RFC 2828] provides a comprehensive listing of internetwork security
services and their definitions. Here are three essential
definitions:
* Authentication service: A security service that verifies an
identity claimed by or for an entity, be it a process, computer
system, or person. At the internetwork layer, this includes
verifying that a datagram came from where it purports to originate.
At the application layer, this includes verifying that the entity
performing an operation is who it claims to be.
* Data confidentiality service: A security service that protects
data against unauthorized disclosure to unauthorized individuals or
processes. (Internet Standards Documents SHOULD NOT use "data
confidentiality" as a synonym for "privacy", which is a different
concept. Privacy refers to the right of an entity, normally a
person, acting in its own behalf, to determine the degree to which
it will interact with its environment, including the degree to
which the entity is willing to share information about itself with
others.)
Schiller Best Current Practice