Re: [Isms] What granularity of attributes do we need for the securetransport?

["Randy Presuhn" <randy_presuhn at mindspring.com>]

Hi -

> From: "David Harrington" <ietfdbh at comcast.net>
> To: "'David B. Nelson'" <dnelson at elbrysnetworks.com>; <isms at ietf.org>
> Sent: Thursday, April 03, 2008 3:30 PM
> Subject: Re: [Isms] What granularity of attributes do we need for the securetransport?
>
> In thinking about this, SNMP needs to know what "model" is used to
> authentication, and it know sthat RADIUS is the "model".
> 
> I think SNMP actually doesn't need to know how the encryption is done,
> only that it is done. The operator can configure the underlying SSH or
> other transport to use the approrpiate authentication and encryption
> parameters.
> 
> So this may actually be a non-issue.
> Do others agree?
...

As far as securityModel and securityName as used together in VACM,
I'd agree.  HOWEVER, securityModel is also used together with 
securityLevel (recall our wonderful ASCII art in section 3.1 of RFC 3415)
to describe how information was (or will be) protected in transit, and
this is an important factor in deciding whether to grant access.

The strength of encryption provded by a given security model when the
securityLevel is authPriv must be taken into account when formulating
an access control policy.  Consequently, from the choice of securityModel
one needs to be able to, at the very least, infer what the minimum level
of protection provided by authPriv would be.

So I disagree with the assessment of this as a non-issue.

Randy

_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms