[cabf_netsec] SC20 and Adversarial Interpretation
Tobias S. Josefowitz
tobij at opera.com
Mon Feb 3 11:04:47 MST 2020
On Mon, 3 Feb 2020, Neil Dunbar via Netsec wrote:
> Reading through Ryan's comments on the main list, a couple of things are
> springing to mind.
> 1) Is there anything that can be done to shut out a perverse interpretation
> that a "change" to a system can be defined as "anything which goes through
We worked on this a bit in the Pain-Points subgroup today and did not
quite find a way to express it so that it is not open to a perverse
interpretation. We considered the quite possibly best cause of action
might be to take Ryan up on his offer, create an SC20 pull request and see
what he comes up with.
> 2) Should we decapitalise Change Management Process in 1(h), unless we truly
> wish it to be a defined term? Given that there are plethorae of systems
> capable of tracking changes, it might be problematic to come up with an
> all-encompassing definition. In 1(h) we are stating the characteristics which
> a change management system needs to demonstrate, rather than specifically
> nail down what one is; therefore might it be better to not make it appear as
> a defined term?
> Alternatively, we could simply define one:
> "Change Management Process: A protocol which catalogues proposed changes to
> systems within its scope, allowing such changes to be approved, rejected and
> My problem with the above is that I'm sure it just creates a dozen more holes
> for bad actors to escape from!
We came up with:
Change Management Process: An established set of steps followed to ensure
that the intended system configuration and changes to it have received
appropriate levels of review and have been duly authorized.
Anyway, should we create the pull request? I volunteer(ed) to take care of
it, and I stand by it, but given you are the proposer and already have the
commit and all and just need to click a button, maybe you prefer to do it?
More information about the Netsec