Re: Fwd: [Nea] Re: use of a design team to develop requirements

[Alan DeKok <aland at deployingradius.com>]

Keith Moore wrote:
> Well, let's look at an analogy.  Let's say that you work for me, and I
> want to establish whether you're trustworthy.  So I require you to
> consent to have your house searched, at any time, for evidence of
> anything that you might have or do that would cause me to question my
> trust in you.  Would that be well within my rights as an employer?  And
> if it's not okay for me to search your house, why is it okay for me to
> search your laptop?

  As noted earlier on this list, both kinds of searches may be illegal
in certain jurisdictions.  Complying with all legal requirements may, in
fact be impossible for NEA.

>... And if you can reduce NEA to a protocol that just gives
> a host a way to say to a network "XYZ virus scanner certifies that this
> host is good up to version X.Y of its virus tests" then I wouldn't have
> a problem with it.

  And that's probably not too hard to do, or to retrofit on existing
protocols.  On the other hand, allowing open-ended queries means that
the queries will probably be turing complete.  That leaves a wonderful
attack vector:  Visit a cafe, and have them run arbitrary code on your
machine.

  If the turing complete queries are NOT what is intended, it would be
nice to know that, and to have clear statements about what capabilities
the queries have.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea