RE: [Isms] #32: is the securityName=username default OK?

To: "'Sam Hartman'" <hartmans-ietf at mit.edu>, <dbharrington at comcast.net>
Subject: RE: [Isms] #32: is the securityName=username default OK?
From: "David B Harrington" <ietfdbh at comcast.net>
Date: Mon, 24 Oct 2005 10:58:52 -0400
Cc: isms at ietf.org
In-reply-to: <tsl64rnt9qs.fsf@cz.mit.edu>
List-archive: <http://www1.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@lists.ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-post: <mailto:isms@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
Reply-to: ietfdbh at comcast.net
Sender: isms-bounces at lists.ietf.org
Thread-index: AcXYkT8T5cFQXYHGTcy6SSxUPgCMvgAFutBA

Hi,

This issue is related to the "Elements of Procedure" in
draft-ietf-isms-secshell-00.txt section 5.7, step 10).

Following the elements of procedure of USM as closely as reasonable,
the text says the mapping from the SSH authentication-method-specific
tmSecurityName to a model-independent securityName should be contained
in the Local Configuration Datastore (LCD):

"10) Information about the value of tmSecurityName is extracted from
   the Local Configuration Datastore (LCD) to provide conversion from
   the SSH authentication-method-specific tmSecurityName to a model-
   independent securityName."

However, we are attempting to eliminate the need for lots of
preconfiguration, so we may want to define a default mechanism for
algorithmically determining the mapping to securityName. Therefore
section 10) has some default logic (I've added some clarifications in
[] markers):

   "If no information is available for the username in the LCD, then
the
   securityName is set to the username associated with the session.
   Note that USM at this point would return an unknownSecurityName
error
   to the caller, because [USM] didn't automatically assign a
securityname
   from the model-specific parameters.  The message should never reach
   us if it didn't pass [client] authentication [during session
establishment], so tmSecurityname should always
   be present [in the session information]. "

So, if the mapping between a mechanism-specific "username" and a
corresponding securityname is not explicitly specified in the Local
Configuration Datastore, then is setting securityName to the username
(tmSecurityname) associated with the session the right thing to do?

David Harrington
dbharrington at comcast.net

> -----Original Message-----
> From: isms-bounces at lists.ietf.org 
> [mailto:isms-bounces at lists.ietf.org] On Behalf Of Sam Hartman
> Sent: Monday, October 24, 2005 7:50 AM
> To: dbharrington at comcast.net
> Cc: isms at ietf.org
> Subject: Re: [Isms] #32: is the securityName=username default OK?
> 
> >>>>> "David" == David B Harrington <dbharrington at comcast.net>
writes:
> 
>     David> #32: For an incoming message, is using a default
>     David> securityName mapping the right thing to do?
> 
> Can you explain this in more detail?
> 
> _______________________________________________
> Isms mailing list
> Isms at lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/isms
> 

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] #32: is the securityName=username default OK?
  - From: Sam Hartman

References:
- Re: [Isms] #32: is the securityName=username default OK?
  - From: Sam Hartman

Prev by Date: [Isms] Issue #s and their context
Next by Date: Re: [Isms] #32: is the securityName=username default OK?
Previous by thread: [Isms] Issue #s and their context
Next by thread: Re: [Isms] #32: is the securityName=username default OK?
Index(es):
- Date
- Thread

RE: [Isms] #32: is the securityName=username default OK?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.