RE: [Isms] #32: is the securityName=username default OK?

To: "'Nelson, David'" <dnelson at enterasys.com>, <isms at ietf.org>
Subject: RE: [Isms] #32: is the securityName=username default OK?
From: "David B Harrington" <ietfdbh at comcast.net>
Date: Mon, 24 Oct 2005 19:07:58 -0400
Cc:
In-reply-to: <2A5E4540D4D5934D9A1E7E0B0FDB2D690141F381@MAANDMBX2.ets.enterasys.com>
List-archive: <http://www1.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@lists.ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-post: <mailto:isms@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
Reply-to: ietfdbh at comcast.net
Sender: isms-bounces at lists.ietf.org
Thread-index: AcXYkT8T5cFQXYHGTcy6SSxUPgCMvgAFutBAAAGnAlAABy1FIA==

Hi,
 
Comments inline.

> 
> While nothing would preclude having USM-style local configuration
> information dealing with the creation of securityName, I think the
> straightforward thing to do is eliminate any local configuration
> dependency and *always* use the tmSecurityName as the securityName. 

Remember that ISMS supplements USM. USM requires a local configuration
dependency, therefore we cannot eliminate it.

> This effectively deprecates the concept of a model independent
> securityName.  While that was probably a nice concept in theory, and
> practical as long as local configuration was intrinsically part of
the
> authentication mechanism, I think it makes little sense when used
with
> existing authentication (or AAA) infrastructures.  Remember, the
whole
> premise is to leverage existing, centralized identity management, so
> having to configure an identity transform on each managed entity
makes
> no sense to me.  We don't want to have to configure the identities
on
> each managed entity, so why should we have to configure an identity
> transform?

One reason why we have securityName is so that a system logging
facility that logs changes to the SNMP system can use a human-readable
name in the log - the securityName. We have no guarantee that the
tmSecurityName is human-readable.

The more obvious reason for securityname is to allow multiple
authentication mechanisms to map to a common securityname for a user
(or a group of users, or whatever) for use by the access control
system. 

I do not believe all organizations will always have only one mechanism
for authenticating all people and other entities (such as
applications), regardless of the device from which they are
authenticating, the firmware version of the device from which they are
authenticating, or the location from which they are authenticating.
Having a mechanism to bind multiple mechanism-specific identities to
ojne SNMp identity seems a good thing.

David Harrington
dbharrington at comcast.net

> 
> IMHO, the proposed default behavior is the only required behavior.
> 
> 
> _______________________________________________
> Isms mailing list
> Isms at lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/isms
> 



_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

References:
- RE: [Isms] #32: is the securityName=username default OK?
  - From: Nelson, David

Prev by Date: RE: [Isms] #1: is it important to support anonymous user accesstoSNMP?
Next by Date: Re: [Isms] #1: is it important to support anonymous user accesstoSNMP?
Previous by thread: RE: [Isms] #32: is the securityName=username default OK?
Next by thread: RE: [Isms] #32: is the securityName=username default OK?
Index(es):
- Date
- Thread

RE: [Isms] #32: is the securityName=username default OK?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.