RE: [Isms] #32: is the securityName=username default OK?

["Blumenthal, Uri" <uri.blumenthal at intel.com>]

>> I think some authentication systems and even some domains
>> such as DOCSIS might require mapping of the authenticated
>> "name" to a securityName.
>
> I suppose there might be such a requirement,
> but could you give us a concrete example?

Easily. SNMPv2p (that was implemented and did see some limited
deployment) identified entities by ASN.1-encoded OIDs. 

> If the tmSecurityName is a function of local per-user (or
per-meta-user)
> configuration information, then how is ISMS fundamentally different
from
> USM? 

First, who said that successful design must be "fundamentally
different"?
Second - most SSH installations have some local info both about the SSH
config, AND about the users that can login via SSH. Often this info is
shared with operating system user list - password file(s), but so what -
the point is that local systems more often than not store relevant
per-user information locally. The major complaints about USM that I'm
aware of are: (a) USM requires SEPARATE infrastructure IN ADDITION to
what's already deployed, and (b) USM lacks short-lived session keys and
decent key update mechanism.

> ISMS is supposed to be more than USM over SSH.  :-)

Is it? :-)

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms