Re: NEA requirements (was Re: [Nea] Re: use of a design teamto developrequirements)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NEA requirements (was Re: [Nea] Re: use of a design teamto developrequirements)

To: Khaja Ahmed <khaja at windows.microsoft.com>
Subject: Re: NEA requirements (was Re: [Nea] Re: use of a design teamto developrequirements)
From: Douglas Otis <dotis at mail-abuse.org>
Date: Mon, 18 Dec 2006 16:05:02 -0800
Cc: nea at ietf.org
In-reply-to: <A07B77F32153944CA64E551D7C23674E03369BDA@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
List-archive: <http://www1.ietf.org/pipermail/nea>
List-help: <mailto:nea-request@ietf.org?subject=help>
List-id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-post: <mailto:nea@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
References: <279DDDAFA85EC74C9300A0598E704056011D1227@hdsmsx412.amr.corp.intel.com> <45871026.3000604@deployingradius.com> <A07B77F32153944CA64E551D7C23674E03369BDA@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>


On Dec 18, 2006, at 2:36 PM, Khaja Ahmed wrote:

I think the approach that Alan outlines is a pretty reasonable one. I too see no reason for a query/response based protocol. In fact a query response based protocol is only likely to add needless complexity and make the scheme susceptible to abuse.

Based on the identity of the network, the machine will communicate the state necessary to gain (or be denied) admission. With appropriate key management and federated trust mechanisms in place the information can also be encrypted so only authorized networks can get / see the information.

Agreed. The information exchanged could represent a set of time- stamped certificates. Information contained within the certificates would be the provider and resources used. The client's version of the certificate would also indicate the status of the service. The NEA protocol could be limited to just the broker advertising in sets of desired or required certificates offering their certificates carrying their identity of "hostmaster at example.com" as the entity making the request. Having a current certificate for each required set should satisfy any acceptance requirement. When a certificate is lacking, the resources and the provider of the certificate and related service will be apparent. The resources can be verified prior to invoking any service related to remediation or questioning prior to obtaining a fresh certificate.

This approach should make it easy to implement a scheme suitable for autonomous devices, or client systems that will likely closely approximate an autonomous system. The requested service might be as simple as acknowledging the provider's AUP and their current status when dealing with humans.

-Doug

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea

References:
- RE: NEA requirements (was Re: [Nea] Re: use of a design team to developrequirements)
  - From: Blumenthal, Uri
- Re: NEA requirements (was Re: [Nea] Re: use of a design team to developrequirements)
  - From: Alan DeKok
- RE: NEA requirements (was Re: [Nea] Re: use of a design teamto developrequirements)
  - From: Khaja Ahmed

Prev by Date: RE: NEA requirements (was Re: [Nea] Re: use of a design teamto developrequirements)
Next by Date: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
Previous by thread: RE: NEA requirements (was Re: [Nea] Re: use of a design teamto developrequirements)
Index(es):
- Date
- Thread

Re: NEA requirements (was Re: [Nea] Re: use of a design teamto developrequirements)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.