Re: RE : [midcom] More on new work item

[Melinda Shore <mshore at cisco.com>]

On Friday, April 30, 2004, at 11:42 AM, Jonathan Rosenberg wrote:
> IMHO, the topological issues with midcom, which we have long been 
> aware of, combined with the CONTROL nature of the relationship between 
> the agent and the client, really point to applicability limited to a 
> trusted  device that controls a neighboring firewall or NAT, thus 
> useful for carrier edge or large enterprise edge applications.
I think incrementalism in design (not in deployment) is causing some
problems here.  Network administrators, and a growing number of people
in the industry, are increasingly aware that the current model for
mediating access isn't very effective (and that ties quite directly to
the question of what the trust bases are).  That means a couple of 
things,
including that there are now at least two models for provisioning trust:
1) profile, and 2) credentials.  In the former case a "profile" might
mean something like "is running version whatever of anti-virus software
blah".  "Credentials" is obvious and is more directly relevant to
what we're talking about.  It's a shame that the distributed firewalls
stuff never took off, because that, at least, could provide a workable
framework for talking about endpoint trust and access issues.  I think
we're being a bit short-sighted but I'm not sure I see a way to avoid
that under the circumstances.  It may be sufficient to allow industry
to drive this one and bring work to the IETF when it's already mature.

Melinda


_______________________________________________
midcom mailing list
midcom@ietf.org
https://www1.ietf.org/mailman/listinfo/midcom