RE: [Isms] #32: is the securityName=username default OK?

["Nelson, David" <dnelson at enterasys.com>]

Kaushik Narayan writes...

> I think some authentication systems and even some domains such as
DOCSIS
> might require mapping of the authenticated "name" to a securityName.

I suppose there might be such a requirement, but could you give us a
concrete example?

> It might be better to handle this within ISMS configuration (which
would
> probably be implementation dependent) and not security model
independent
> configuration since the mapping might be specific to particular
> authentication systems.

This seems like a potential pit-fall to me.  I can see all sorts of
interoperability problems arising out of localized, implementation
specific mappings of identity.  It may work very well in specific
deployment environments, where the rules are universally understood.
However, I can see difficulties in obtaining correct results from
multi-vendor interoperability testing.

If the tmSecurityName is a function of local per-user (or per-meta-user)
configuration information, then how is ISMS fundamentally different from
USM?  ISMS is supposed to be more than USM over SSH.  :-)


_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms