[Nea] RE: Updated problem statement I-D

["Polansky, Robert" <rpolansky at rsasecurity.com>]

I would echo others' statements that this is a good statement of the
problem at hand. I know I haven't contributed in the past, but I do have
a request for a minor clarification on section 9.5. It says that "it is
important from a security perspective" to be able to separate end-point
authentication from end-point posture assessment. I understand why you
need to be able to separate the architectures from an engineering
perspective, but I think the document should be more specific as to the
security concerns around why they need to be separable. Is there is risk
in overloading one architecture with the other's functionality?

Thanks.

-Rob Polansky

-----Original Message-----
From: nea-request at ietf.org [mailto:nea-request at ietf.org] 
Sent: Saturday, March 04, 2006 3:42 PM
To: nea at ietf.org
Subject: Nea Digest, Vol 5, Issue 1
[...]
9.5.  Identity authentication of communicating end-points

   In order for the NEA Server to accept access requests and posture
   information being reported to by the NEA client, the NEA Server may
   need to authenticate the NEA client in some manner.  Similarly,
   within some network environments there may be the requirement that
   the NEA client also authenticate the NEA Server with whom it is
   communicating.  Although the process of evaluating an access request
   may combine together the notion of authentication and integrity state
   evaluation (through posture information), it is important from a
   security perspective and useful from a good engineering practices
   perspective to be able to separate end-point authentication
   (including both machine and user authentication) from end-point
   posture assessment.

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea