Re: [Nea] IETF67 NEA WG Meeting summary

To: "Keith Moore" <moore at cs.utk.edu>
Subject: Re: [Nea] IETF67 NEA WG Meeting summary
From: "Mike Fratto" <mfratto at gmail.com>
Date: Wed, 15 Nov 2006 11:38:46 -0500
Cc: nea at ietf.org
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Gj3rHfEcKTvsRRYziNDX7Y3numFnDJBuvjb3LMEe5+XWpLrkkpRV9vbQ5D/dWMj7QXlF7gDp2/zW1tsx2LWogXM2jNWxjSgs2LyVHRYTcKtrhn99Zco9WPVx6/l6Z/Ohc19NrmouuPJkx/53X1RG1ivU+lcTONMRogswA8+ajx4=
In-reply-to: <455AB195.90900@cs.utk.edu>
List-archive: <http://www1.ietf.org/pipermail/nea>
List-help: <mailto:nea-request@ietf.org?subject=help>
List-id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-post: <mailto:nea@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
References: <A07B77F32153944CA64E551D7C23674E02E7CC67@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com> <455AB195.90900@cs.utk.edu>

regarding NEA: what I might be okay with is giving authorized
third-parties yes or no assurance that the host meets or does not meet
their policies, without giving them fine-grained detail about what is
installed on the host.  so the owner of a host could get details about
why a host did or did not fit within a particular network's policy, but
the network (if owned by another party than the owner of the host) could
only get yes or no information.   I would like to see this option
examined further.


Nothing is gained here regarding privacy. A validation server could
glean what is installed by asking a series of questions and inferring
the response. for example:

Q: do you have software A, B, or C?
A: No
Q: do you have software D?
A: Yes

Ergo, host has software D.

And if your so concerned about privacy, the network operator has a
right to keep thier policies private so as not to give potential
attackers specific knowlege about thier protective measures.

I think a reasonable solution is one that Steve offered in the other
thread where (to summarize), the endpoint, including the user, and the
network agree on what will be shared during an assessment and then the
network bases an access control decision on that assessment.
Therefore, people with privacy concerns don't expose information and
the network operator enforces local policy.

Does that mean there may be cases where endpoints aren't allowed
access? Sure does, but privacy, like access, has it's price.

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea

Follow-Ups:
- Re: [Nea] IETF67 NEA WG Meeting summary
  - From: Keith Moore

References:
- RE: [Nea] IETF67 NEA WG Meeting summary
  - From: Khaja Ahmed
- Re: [Nea] IETF67 NEA WG Meeting summary
  - From: Keith Moore

Prev by Date: Re: [Nea] privacy: exposing information to owner
Next by Date: Re: [Nea] privacy: exposing information to owner
Previous by thread: RE: [Nea] IETF67 NEA WG Meeting summary
Next by thread: Re: [Nea] IETF67 NEA WG Meeting summary
Index(es):
- Date
- Thread

Re: [Nea] IETF67 NEA WG Meeting summary

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.