Re: [Isms] open issues

To: <randy_presuhn at mindspring.com>, <isms at ietf.org>
Subject: Re: [Isms] open issues
From: <Pasi.Eronen at nokia.com>
Date: Wed, 30 Apr 2008 10:02:41 +0300
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
In-reply-to: <010301c8a634$464caf00$6801a8c0@oemcomputer>
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <20080422210355.GA12678@elstar.local><002401c8a4dc$869f3400$6801a8c0@oemcomputer><20080423064530.GC13183@elstar.local><000d01c8a513$af1af400$6801a8c0@oemcomputer><20080423084701.GE13273@elstar.local><000601c8a56a$e95f1c20$6801a8c0@oemcomputer><000001c8a597$b0349560$011716ac@NEWTON603><000c01c8a59a$c04122e0$6801a8c0@oemcomputer><1696498986EFEC4D9153717DA325CB7271D491@vaebe104.NOE.Nokia.com> <010301c8a634$464caf00$6801a8c0@oemcomputer>
Sender: isms-bounces at ietf.org
Thread-index: AcimPK0izdKZztpKT4iL4gqiMd1R6wEU11hg
Thread-topic: [Isms] open issues

Randy Presuhn wrote:

> > It seems that in this direction, the securityName and SSH user 
> > name won't be the same: securityName would identify someone 
> > who's allowed to see the information ("researchDeptAdmins" or 
> > "John"), but SSH user name would identify the notification 
> > originator ("router37" or "switch12.44.subunit7.example.com"), 
> > right?
> 
> Perhaps there's an implementation / deployment choice here,
> driven by the trust model.  When a notification stream is
> presented to a management application, whose credentials 
> would one want to use to decide whether to accept that stream?
> Ones associated with the subscriber, ones associated with the
> agent, or ones associated with both  (i.e. that subscriber at that
> agent, as in a paranoid USM deployment)?

Perhaps we're discovering a limitation that RFC 341x didn't really
consider: when you use pairwise secret keys, the key (and its
securityName) always identifies (at least implicitly) both ends of the
relationship. In case of public key crypto, that's not the case.

> The second consideration is whether existing notification receiver
> applications are using securityName to figure out where to internally
> (within the management system) route notifications.  This is outside
> the scope of what we nail down in the SNMP specifications, but would
> be a practical consideration.  We need to hear from the management
> application people.
> 
> ...
> > BTW, is the securityName only handled solely by the security model, 
> > or is it included somewhere inside the PDU even when you're using
> > SSHTM? 
> ...
> 
> RFC 3413 section 3.4 specifies that securityName is provided
> to the notification receiver application.

Yes.. but it's not clear whether this is always the same securityName
that was provided by the notification originator application
(identifying the receiver, used for access control on the originator
side), or a securityName identifying the originator.

For pairwise secret keys, it doesn't matter. For public keys, if it's
important to know the former on the notification receiver side, we
might need to pass it separately from the SSH user name.

Best regards,
Pasi
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] open issues
  - From: Randy Presuhn

References:
- Re: [Isms] open issues
  - From: Juergen Schoenwaelder
- Re: [Isms] open issues
  - From: Randy Presuhn
- Re: [Isms] open issues
  - From: Juergen Schoenwaelder
- Re: [Isms] open issues
  - From: Randy Presuhn
- Re: [Isms] open issues
  - From: Juergen Schoenwaelder
- Re: [Isms] open issues
  - From: Randy Presuhn
- Re: [Isms] open issues
  - From: David B. Nelson
- Re: [Isms] open issues
  - From: Randy Presuhn
- Re: [Isms] open issues
  - From: Pasi.Eronen at nokia.com
- Re: [Isms] open issues
  - From: Randy Presuhn

Prev by Date: Re: [Isms] open issues
Next by Date: Re: [Isms] open issues
Previous by thread: Re: [Isms] open issues
Next by thread: Re: [Isms] open issues
Index(es):
- Date
- Thread

Re: [Isms] open issues

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.