CURRENT_MEETING_REPORT_



Reported by Richard Pethia/ CERT

Mintues of the SPWG Meeting of April 17, 1990

The purpose of the April 17 meeting was to review the spwg chater,
making any necessary changes, and to begin the activity of producing a
policy framework.

The initial discussion at the April 17 meeting focused on the utility of
producing a security policy for the Internet, an internetwork of many
networks sharing common name and address spaces.  Since the ``Internet''
has no single controlling entity, and since its components are owned,
operated, and administered by a variety of organizations, there was a
concern that it would not be possible to enforce an Internet Security
Policy in any useful way.

Despite the concerns, the attendees at this meeting decided that a
formal written policy, issued by the IAB as a recommendation in the form
of an RFC, could act as a vehicle to build concensus among the
organizations that own and operate components of the Internet.  While it
was concluded that uniform policy enforcement was probably not possible,
the effort of producing and promoting a security policy would benefit
the Internet community by focusing attention on Internet security issues
and by encouraging the component owners to take steps to improve the
security of those components.  In addition, the recommended policy could
act as a vehicle to establish expectations of community behavior and
could act as an enabling document for the development and implementation
of local policy.

The group then decided that the policy should address various audiences:
Internet users, host operators, network operators (including local
networks, regional networks, national backbones, and international
backbones), host vendors, and network vendors.  For each of these
audiences, the policy should speak to legal issues, technical issues,
and administrative issues.  Finally, the policy should, for each of the
audiences, deal with the following issues:  unauthorized access to data,
destruction of data, modification of data, unauthorized use of service,
and denial of service.

Attention then turned to the distinction between a policy and a
framework to be used in developing a policy.  It was generally felt that
the final result of the spwg effort should be a short, succinct document
that address the issues listed above.  The activity of developing the
policy, however, should proceed using some sort of framework that would
support the policy developers' efforts.  This ``Internet Security Policy
Development Framework'' should be structured to insure all key issues
are addressed and act as a working document that is elaborated over time
and serves to capture the work of the policy developers.  The initial
outline of the document is:

                                   1






  1. Introduction
     (a) Definitions and references (terms used in the balance of the
         document)
     (b) Internet definition
     (c) Scope of policy
     (d) Applicability
     (e) Authority
     (f) Focus and emphasis
  2. Inventory of existing policies.  A survey of existing policies,
     directives and laws that would influence an Internet security
     policy.
  3. Needed policy and architecture A description of the audiences and
     issues an Internet Security policy should address.
  4. Security Services Covers such areas as:  Service classes,
     information classes, subscribers and users, current architectural
     approaches, availability, etc.
  5. Certification and Accreditation Covers possible certification and
     accreditation activities including:  who are the authorities,
     certification of components, accreditation of facilities.
  6. Security Administration and Responsibilities Discusses issues as:
     overall security policy coordination, facility administration,
     component security administration, risk management, security
     training and awareness.


Minutes of the SPWG meeting of May 1, 1990

The purpose of the May 1st meeting was to discuss the policy development
framework created at the April meeting and to begin work documenting
areas of concern and key issues.

The framework was presented and there was general agreement that it
could be used as a vehicle to develop a proposed Internet security
policy.  Discusson focused on section 4 (Security Services) of the
outline and it was decided that the following three dimensions of the
problem should be considered


   o Security Threats/Services
      -  Confidentiality (theft of data)
      -  Integrity (destruction)
      -  Authentication (masquerade)
      -  Assured Service (denial of service)
   o Domains of Implementation
      -  Administrative
      -  Technical
      -  Legal
   o Who's Responsible
      -  Users
      -  Host Operators
      -  Router/Network operators
      -  Host Vendors
      -  Router vendors

                                   2






Finally, attendees brainstormed to produce the key issues listed below.
Several attendees (named on individual items below) agreed to draft
brief position statements on specific items in the early June time
frame.


   o Internet infrastructure assured service (Mike StJohns)
   o User Identification - including authentication, email, remote
     login, ftp (Vint Cerf)
   o Plugging Holes - individual responsibility (Tracy Laquey)
   o Incident Handling rules (Tracy Laquey)
   o Identification of resources (Tony Hain)
   o Lines of responsibility
   o User/Host/Network responsibilities (Paul Holbrook)
   o Proper usage; network ethics (James Van Bokkelen)
   o Configuration control
   o Audit trail
   o Confidentiality
   o Bad Press
   o User Identification - restricted access
   o Denial of Service - network service
   o Unauthorized access
   o Adequate response when being challenged about being a source of
     attacks (especially when cooperating with an investigation)
   o Known chain of responsibile authorities
   o Export restrictions - limitations enforcement


Attendees of the April Meeting


    Branstad, Dennis          dkb@ecf.ncsl.nist.gov
    Crocker, Steve            crocker@tis.com
    Elliott, Oma              oelliott@ddn1.dca.mil
    Ellis, James              ellis@psc.edu
    Gross, Phill              pgross@nri.reston.va.us
    Holbrook, Paul            ph@cert.sei.cmu.edu
    Hollingsworth, Greg       gregh@mailer.jhuapl.edu
    Jacobs, Joel              jdj@mitre.org
    Mills, Kevin              mills@osi3.ncsl.nist.gov
    Pethia, Rich              rdp@cert.sei.cmu.edu
    Shirey, Rob               shirey@mitre.org
    Tabacchi, Len
    Vaudreuil, Greg           Gvaudre@nri.reston.va.us



                                   3






Attendees of the May meeting


    Stan Ames                 sra@mbunix.mitre.org
    Tom Bajzek                twb@andrew.cmu.edu
    Alison Brown              alison@maverick.osc.edu
    Jeffrey S. Carpenter      jjc@unix.cis.pitt.edu
    Vinton Cerf               vcerf@NRI.Reston.VA.US
    Richard Colella           colella@osi3.ncsl.nist.gov
    Steve Crocker             crocker@tis.com
    James Davin               jrd@ptt.lcs.mit.edu
    Hunaid Engineer           hunaid@opus.cray.com
    James Galvin              galvin@tis.com
    Ella Gardner              epg@gateway.mitre.org
    Tony Hain                 hain@nmfecc.arpa
    Robert Hoffman            hoffman@cs.pitt.edu
    Paul Holbrook             ph@SEI.CMU.EDU
    Greg Hollingsworth        gregh@mailer.jhuapl.edu
    Phil Karn                 Karn@Thumper.Bellcore.Com
    Tracy Laquey              tracy@emx.utexas.edu
    Keith McCloghrie          sytek!kzm@hplabs.hp.com
    Gerald K Newman           gkn@sds.sdsc.edu
    Lee Oattes                oattes@utcs.utoronto.ca
    David Perkins             dave_perkins@3com.com
    Marsha Perrott            mlpt@andrew.emu.edu
    Richard Pethia            rdp@sei.cmu.edu
    Ted Pike                  tgp@sei.cmu.edu
    Paul Pomes                paul_pomes@uiuc.edu
    Joyce Reynolds            jkrey@venera.isi.edu
    Robert J. Reschly Jr.     reschly@brl.mil
    Milt Roselinsky           cmcvax!milt@hub.vcsb.edu
    Jonathan Saperia          saperia%tcpjon@decwrl.dec.com
    Robert W. Shirey          shirey@mitre.org
    Tim Seaver                tas@mcnc.org
    Michael StJohns           stjohns@umd5.umd.edu
    Cal Thixton               cthixton@next.com
    C. Philip Wood            cpw@lanl.gov
    Sze-Ying Wuu              wuu@nisc.junc.net



                                   4