Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications

To: "David Harrington" <ietfdbh at comcast.net>
Subject: Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Mon, 14 Sep 2009 14:07:49 -0700
Cc: isms at ietf.org, 'Jeffrey Hutzelman' <jhutz at cmu.edu>
Delivered-to: isms at core3.amsl.com
In-reply-to: <033e01ca357d$cd57ade0$0600a8c0 at china.huawei.com> (David Harrington's message of "Mon, 14 Sep 2009 16:56:16 -0400")
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <sd63eliohe.fsf at wes.hardakers.net> <E6658A5CB6378B46A7F9C43757A73977047E6252 at de01exm63.ds.mot.com> <sdfxapa0nc.fsf at wjh.hardakers.net> <20090914182918.GA1332 at elstar.local> <27070_1252954966_n8EJ2jKD029767_sd4or59wpj.fsf at wjh.hardakers.net> <FB64E92A8472D9DC947B53A0 at atlantis.pc.cs.cmu.edu> <033a01ca3579$ea2c30c0$0600a8c0 at china.huawei.com> <11B6ECDDB8C495CF22FEC194 at atlantis.pc.cs.cmu.edu> <033e01ca357d$cd57ade0$0600a8c0 at china.huawei.com>
User-agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE)

>>>>> On Mon, 14 Sep 2009 16:56:16 -0400, "David Harrington" <ietfdbh at comcast.net> said:

DH> If one were to implement the DTLS-TM using a DTLS toolkit, would the
DH> SNMP side of the API likely know why that the client certificate was
DH> invalid, or would that likely be internal to the toolkit?

1) Yes. I've seen the openssl code and know that you can determine this
exact situation.

2) IMHO, it doesn't matter. It's not up to us to specify how a service
gets managed. As an example, many of the interface counters, for
example, were put into "exporting data" code in the linux kernel
because SNMP needed access to them.

There are only two cases:

A) A (D)TLS implementation can export the situation already today
within the existing APIs (such as the case for OpenSSL, as
mentioned above).

B) A (D)TLS implementation can not export the data and as far as the
client goes, it's a silent fail with a generic error. If this is
the case, then one of three things must happen:

i) the SSL implementation implements a mechanism through "some
manner" so that the invalid-certificate notification can be
sent by the application using the SSL API. Maybe through a new
error code, or whatever.

ii) the SSL implementation implements an internal "I got a problem"
event and sends through some aspect to anyone listening. A
listener (possibly the SNMP agent application) would listen for
a problem and send a notification when it received that
internal software event.

iii) the SSL implementation won't export the details that a problem
has occurred problem through any method. This leaves the SNMP
agent implementation out of luck as it simply can't send the
notification at all. If we think this is possible, wouldn't it
make more sense to put the notification into an optional
conformance group than to not put it in at all?

And eventually, hopefully, all iii)s would eventually
transition to either i) or ii).

--
Wes Hardaker
Cobham Analytic Solutions

Follow-Ups:
- Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
  - From: David Harrington

References:
- [Isms] draft-hardaker-isms-dtls-tm-05 submitted
  - From: Wes Hardaker
- Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
  - From: Donati Andrew-MGIA0477
- Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
  - From: Wes Hardaker
- Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
  - From: Juergen Schoenwaelder
- Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
  - From: Jeffrey Hutzelman
- Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
  - From: David Harrington
- Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
  - From: Jeffrey Hutzelman
- Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
  - From: David Harrington

Prev by Date: Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
Next by Date: Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
Previous by thread: Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
Next by thread: Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications
Index(es):
- Date
- Thread

Re: [Isms] draft-hardaker-isms-dtls-tm-05 submitted - tlstmNotifications

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.