RFC 3552 (rfc3552) - Page 3 of 44
Guidelines for Writing RFC Text on Security Considerations
Alternative Format: Original Text Document
RFC 3552 Security Considerations Guidelines July 2003
Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . 43
Full Copyright Statement. . . . . . . . . . . . . . . . . . . 44
1. Introduction
All RFCs are required by RFC 2223 to contain a Security
Considerations section. The purpose of this is both to encourage
document authors to consider security in their designs and to inform
the reader of relevant security issues. This memo is intended to
provide guidance to RFC authors in service of both ends.
This document is structured in three parts. The first is a
combination security tutorial and definition of common terms; the
second is a series of guidelines for writing Security Considerations;
the third is a series of examples.
1.1. Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119
[KEYWORDS].
2. The Goals of Security
Most people speak of security as if it were a single monolithic
property of a protocol or system, however, upon reflection, one
realizes that it is clearly not true. Rather, security is a series
of related but somewhat independent properties. Not all of these
properties are required for every application.
We can loosely divide security goals into those related to protecting
communications (COMMUNICATION SECURITY, also known as COMSEC) and
those relating to protecting systems (ADMINISTRATIVE SECURITY or
SYSTEM SECURITY). Since communications are carried out by systems
and access to systems is through communications channels, these goals
obviously interlock, but they can also be independently provided.
2.1. Communication Security
Different authors partition the goals of communication security
differently. The partitioning we've found most useful is to divide
them into three major categories: CONFIDENTIALITY, DATA INTEGRITY and
PEER ENTITY AUTHENTICATION.
Rescorla & Korver Best Current Practice