Re: [Isms] Moving into some design / architecture issuesofExtended VACM

To: <isms at ietf.org>
Subject: Re: [Isms] Moving into some design / architecture issuesofExtended VACM
From: "Randy Presuhn" <randy_presuhn at mindspring.com>
Date: Mon, 15 Jun 2009 22:57:21 -0700
Delivered-to: isms at core3.amsl.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=L4E4i4O9aGputSUMJ0jbfckWfnKdZGZ9LBqK5sLFczlN3/KbM0CtDY1i1rvL/dhe; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP;
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <7D5B6351B90B4B7FB309277995E141F9 at NEWTON603> <C656D2E4.36EE6%kaushik at cisco.com> <CDE812BAFEBA4D059FF4B3B7EC3CAF46 at NEWTON603> <002a01c9ee1c$eeb36900$6801a8c0 at oemcomputer> <20090616050714.GB6629 at elstar.local>

Hi -

> From: "Juergen Schoenwaelder" <j.schoenwaelder at jacobs-university.de>
> To: "Randy Presuhn" <randy_presuhn at mindspring.com>
> Cc: <isms at ietf.org>
> Sent: Monday, June 15, 2009 10:07 PM
> Subject: Re: [Isms] Moving into some design / architecture issuesofExtended VACM
...
> I do not think you need to mess around with contexts. If we can make
> multiple ACMs to work, the problem has a solution.
...

Multiple ACMs would be a wonderful theoretical Pandora's box project to give
to some grad student to play with.  Be careful what you wish for, especially when
it comes time to send notifications.  For the implementations with which I am
familiar, having multiple ACMs would be *very* tricky.  Don't forget the
extent to which isAccessAllowed is involved in the conceptual processing
of GetNext, GetBulk, and notifications, and that a real implementation,
rather than relying on the ASI abstraction, may look directly into the
heart of VACM in order to optimize subagent subtree queries during GetNext
and GetBulk.  Having the possibility of a different access control model
could throw a monkey wrench into those algorithms.

Folks think having VACM to deal with is difficult.  Just wait until
folks start putting in ACMs of their own in order to "simplify" things.

But it will give the WG, implementors, and operators a lot more to do,
so I suppose some might consider that a win.

Randy

References:
- [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: kaushik
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues ofExtended VACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design / architecture issues ofExtended VACM
  - From: Juergen Schoenwaelder

Prev by Date: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Next by Date: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design / architecture issues ofExtended VACM
Next by thread: Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design / architecture issuesofExtended VACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.