RFC 3552 Quiz

Writing Security Considerations

🇺🇸 🇯🇵

0 / 0

References (URLs)

RFC 3552: Guidelines for Writing RFC Text on Security Considerations

Goal: write security notes that help implementers and operators avoid real failures.

Show explanation immediately Show all answers

Q1: A good Security Considerations section should primarily

Multiple Choice

A. Restate the entire protocol in different words B. Describe realistic threats, assumptions, and mitigations relevant to the spec C. Promise that the design is secure

**Explanation:** **Correct (B):** The purpose is to help readers reason about security properties and failure modes

Q2: Useful items to include are (select all)

Multi-Select

A. Threat model and attacker capabilities B. Privacy and metadata exposure notes C. Operational considerations like key rotation and logging guidance D. Marketing claims about compliance

**Explanation:** **Correct (A,B,C):** Security is not only cryptography, it is also deployment and ops **Options:** - D (incorrect): Avoid marketing language

Q3: Your draft says "This protocol has no security considerations". A better approach is to

Multiple Choice

A. Explain why it has minimal impact and explicitly state assumptions and residual risks B. Leave it blank to avoid scrutiny C. Add the word secure many times

**Explanation:** **Correct (A):** Even "simple" specs can introduce risks via deployment or composition

Q4: A common failure mode in security text is to

Multiple Choice

A. Define terms clearly B. Include concrete examples C. Rely on vague statements like "use strong crypto" without specifying goals or contexts

**Explanation:** **Correct (C):** Vague advice is hard to implement and easy to misapply

Q5: When discussing mitigations, good guidance tends to (select all)

Multi-Select

A. Explain what the mitigation defends against B. Note tradeoffs or operational costs C. Clarify what is out of scope or not solved D. Guarantee that no attacks are possible

**Explanation:** **Correct (A,B,C):** Good guidance is scoped, actionable, and honest about limitations **Options:** - D (incorrect): Security is never absolute

Q6: Name the concept that describes assumed attackers and capabilities (two words)

Short Text

**Explanation:** **Correct:** threat model