wiki:SecurityExpertise

Version 20 (modified by martin.vigoureux@…, 5 months ago) (diff)

--

NomCom 2020 Security Desired Expertise

Security

The Security Area primarily focuses on protocols that provide one or more security services such as integrity, authentication, confidentiality, access control, assessment and threat mitigation. The privacy properties and usability of IETF protocols is also an important consideration.

Specific expertise required for a Security AD includes a strong working knowledge of IETF security protocols and mechanisms that have been developed in the Security Area, other Areas of the IETF, and outside the IETF. It is also important for Security ADs to understand the practical aspects of securing Internet resources and communication, including the use of common classes of cryptographic primitives and common misuse of such primitives. A good understanding of threat modeling and risk assessment as well as operational and industry practices is also beneficial.

Between the two Security ADs there will ideally be one who is knowledgeable about major IETF security protocols such as PKIX, IPsec, TLS, SASL, GSS-API, EAP, CMS, and S/MIME. Ideally, at least one AD would be knowledgeable about governance, policy and risk management; security and privacy controls in complex systems; the web security model; security operations and monitoring; incident response; and security in a systems development lifecycle.

The Security Area intersects with all other IETF Areas, and the Security ADs are expected to review, assess and improve the security properties of documents produced by all IETF Areas. Security ADs become personally involved with coordinating the involvement of security experts in the work of other Areas. Broad knowledge of IETF areas and technologies and the ability to assimilate new information quickly are imperative for a Security AD.