Re: [Isms] charter proposal

To: David B Harrington <ietfdbh at comcast.net>
Subject: Re: [Isms] charter proposal
From: Juergen Schoenwaelder <j.schoenwaelder at iu-bremen.de>
Date: Tue, 2 Aug 2005 19:06:25 +0200
Cc: isms at ietf.org
In-reply-to: <20050802165929.8918539A18@hermes.iu-bremen.de>
List-archive: <http://www1.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@lists.ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-post: <mailto:isms@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
Mail-followup-to: David B Harrington <ietfdbh at comcast.net>, isms at ietf.org
References: <20050802163551.GA7399@open-31-253.ietf63.ietf.org> <20050802165929.8918539A18@hermes.iu-bremen.de>
Reply-to: j.schoenwaelder at iu-bremen.de
Sender: isms-bounces at lists.ietf.org
User-agent: Mutt/1.5.9i

On Tue, Aug 02, 2005 at 12:54:06PM -0400, David B Harrington wrote:

> Hmmmm. I am of the impression that, as a source for authentication,
> the use of AAA is an implementation-dependent detail of the SSH
> authentication; whether SSH authentication relies on RADIUS or AAA or
> local users to authenticate the transport connection and the user
> should be transparent to the SNMP engine, shouldn't it? If so, then it
> doesn't belong in the charter at all.

I agree that this is fully transparent to the SNMP engine. On the
motivational side of the charter, I thought it might be worth to
mention this since not everybody might be aware that SSH
authentication decisions can easily be outsourced to AAA servers,
something that was requested in the past by operators.

> Where we run into the problem is if a TMSM also needs to somehow
> capture the authorization information returned by AAA so the AC
> subsystem can use it later. If we want that feature, and we seem to
> have a lot of people suggesting it is an important feature to support,
> then we need to address how to standardize that feature so future TMSM
> security models handle it in a compatible way. 

I simply did not put this in the charter since I do not yet understand
the dimension of this problem. I need to learn more how AAA servers
provide this authorization information and how it looks like. Perhaps
someone here can educate me or point to the relevant specs to read.

/js

-- 
Juergen Schoenwaelder		    International University Bremen
<http://www.eecs.iu-bremen.de/>	    P.O. Box 750 561, 28725 Bremen, Germany

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

Follow-Ups:
- RE: [Isms] charter proposal
  - From: David B Harrington

References:
- Re: [Isms] charter proposal
  - From: Juergen Schoenwaelder

Prev by Date: [Isms] Charter proposal
Next by Date: RE: [Isms] charter proposal
Previous by thread: RE: [Isms] charter proposal
Next by thread: RE: [Isms] charter proposal
Index(es):
- Date
- Thread

Re: [Isms] charter proposal

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.