RE: [Isms] #32: is the securityName=username default OK?

["Nelson, David" <dnelson at enterasys.com>]

David B Harrington writes...

> So, if the mapping between a mechanism-specific "username" and a
> corresponding securityname is not explicitly specified in the Local
> Configuration Datastore, then is setting securityName to the username
> (tmSecurityname) associated with the session the right thing to do?

While nothing would preclude having USM-style local configuration
information dealing with the creation of securityName, I think the
straightforward thing to do is eliminate any local configuration
dependency and *always* use the tmSecurityName as the securityName. 

This effectively deprecates the concept of a model independent
securityName.  While that was probably a nice concept in theory, and
practical as long as local configuration was intrinsically part of the
authentication mechanism, I think it makes little sense when used with
existing authentication (or AAA) infrastructures.  Remember, the whole
premise is to leverage existing, centralized identity management, so
having to configure an identity transform on each managed entity makes
no sense to me.  We don't want to have to configure the identities on
each managed entity, so why should we have to configure an identity
transform?

IMHO, the proposed default behavior is the only required behavior.


_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms