Re: [Isms] comments on draft-nelson-isms-extended-vacm-00

["David Harrington" <ietfdbh at comcast.net>]

modularity - remember?

the access control model modifies the access control model MIB.
NEVER should a transport model modify an access control model MIB.

dbh 

> -----Original Message-----
> From: isms-bounces at ietf.org [mailto:isms-bounces at ietf.org] On 
> Behalf Of Juergen Schoenwaelder
> Sent: Monday, July 27, 2009 2:36 PM
> To: Dave Nelson
> Cc: isms at ietf.org
> Subject: Re: [Isms] comments on draft-nelson-isms-extended-vacm-00
> 
> On Mon, Jul 27, 2009 at 02:10:15PM +0200, Dave Nelson wrote:
> > Juergen Schoenwaelder writes...
> > 
> > > here are a few comments (posted as a technical contributor) on
the
> > > RADIUS / VACM document:
> > 
> > I think you have nicely summarized the open technical 
> issues in the -00
> > draft.
> > 
> > > A: How specific should the document refer to the TSM? 
> Should we try to
> > >    phrase things such that things still work in case we 
> replace TSM
> > >    with something else?
> > 
> > I think that might be nice to do.  My one concern is that 
> the mechanism of
> > this document is dependent upon the tmStateReference.  While some
> > yet-to-be-written security model might also work with a 
> secure transport
> > model, allowing the VACM extensions in this document to be 
> used without a
> > RADIUS-aware transport model seems to open up a security 
> issue, or at the
> > very least an undefined mode of operation. 
> 
> But isn't the RADIUS aware transport doing the manipulation of the
> VACM table? Perhaps this is one thing to clarify further - which
> component is actually manipulating the VACM table.
> 
> /js  
> 
> -- 
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
> _______________________________________________
> Isms mailing list
> Isms at ietf.org
> https://www.ietf.org/mailman/listinfo/isms
>