CURRENT_MEETING_REPORT_ Reported by Richard Pethia/CERT SPWG Minutes The Security Policy Working Group (spwg) met to review the November 28, 1990 working draft Internet Security Policy Recommendations and to identify the next steps in moving the recommendations forward. Review There was considerable discussion on the purpose of the document and on the ability of the IETF, the IAB, or any other organization to enforce Internet security policy. As stated in the document: ``It is important to recognize that the voluntary nature of the Internet system is both its strength and, perhaps, its most fragile aspect. Rules of operation, like the rules of etiquette, are voluntary and, largely, unenforceable, except where they happen to coincide with national laws whose violation can lead to prosecution.'' ``A common set of rules for the successful and increasingly secure operation of the Internet can, at best, be voluntary, since the laws of various countries are not uniform regarding data networking. Indeed, the recommended Internet Security Policy outlined below can also only be voluntary. However, since joining the Internet is optional, it is also fair to argue that the Internet Rules of Behavior are part of the bargain for joining and that failure to observe, apart from any legal infrastructure available, are grounds for sanctions.'' Recognizing this, and recognizing the need to state a purpose for the document, it was decided that: o The recommended policy serves as an enabling document. It acts to encourage development of local policy and encourage consistency across the policies of different organizations. o It is a tool to heighten awareness of security issues and encourages improvements in Internet security. The policy recommendation elaborates on six main points, and contains a set of appendices that provide additional, relevant information. The six main points are: 1 1. Users are individually responsible for understanding and respecting the security rules of the systems they are using. Users are individually accountable for their own behavior. 2. Site and network service providers are responsible for maintaining the security of the systems they operate. 3. Vendors and system developers are responsible for providing systems which are sound and have adequate security controls. 4. Users have responsibility to use available mechanisms and procedures for protecting their own data, and they also have responsibility for assisting in the protection of the systems they use. 5. Users, service providers and hardware and software vendors are expected to cooperate in the provision of security. 6. Technical improvements in Internet security protocols should be sought on a continuing basis. It was agreed that these six points generally cover all the pertinent issues, but there may need to be some rewording, to promote consistency in interpretation. Elaborations should be modified/expanded to better deal with the financial and operational realities of many organizations (e.g., provide a discussion of techniques a site can use to establish a 24-hour security contact without increasing staff or significantly increasing the budget). Finally, it was suggested that the recommendations be carefully reviewed to ensure they are not perceived in a negative way (i.e., would not cause anyone to hesitate in connecting to the Internet or cause existing sites to disconnect). Next Steps It was agreed that the next steps in advancing the recommendations should be: o Revise the November 28, 1990 draft to incorporate review comments (targeted for completion before the end of January). o Disseminate for wider review and approval using standard IETF processes. o Deliver and present to selected audiences (e.g., regionals, sites, FARNET) for focused discussion and feedback. o Develop plan for packaging and broad dissemination (e.g., could be packaged along with acceptable use policy and distributed with new membership agreements.) 2 Attendees Ashok Agrawala agrawala@cs.umd.edu Vinton Cerf vcerf@NRI.Reston.VA.US Steve Crocker crocker@tis.com James Dray dray@st1.ncsl.nist.gov Fred Engel Peter Ford peter@lanl.gov James Galvin galvin@tis.com Jack Hahn hahn@umd5.umd.edu Joel Jacobs jdj@mitre.org Dale Johnson dsj@merit.edu Darren Kinley kinley@crim.ca Mark Koro koro@dockmaster.mil William Kutz Kutz@dockmaster.ncsc.mil John Linn linn@zendia.enet.dec.com Daniel Long long@bbn.com Fred Ostapik fred@nisc.sri.com Richard Pethia rdp@cert.sei.cmu.edu Robert Reschly reschly@brl.mil Jeffrey Schiller jis@mit.edu Tim Seaver tas@mcnc.org Kannan Varadhan kannan@oar.net C. Philip Wood cpw@lanl.gov 3