Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)

[Keith Moore <moore at cs.utk.edu>]

-------- Original Message --------

> To: Alan DeKok <aland at deployingradius.com>
>
>
> >   In fact, the NEA server has little use for that information to make
> > any decision independent of the manufacturer of product X.  If the NEA
> > server gets told product X is at version Y, what does that mean?  Is it
> > a good thing?  Is that version vulnerable?  Is it newer than the version
> > the NEA server knows about?
>
> So what does an NEA server make a decision on? 

who says the NEA server has to make a (nontrivial) decision?  if the 
client presents a statement, signed by a key that is traceable to a host 
and a product, that says that the host conforms to a certain level of a 
profile, what more does the server need to do other than to tell the 
network to give the host whatever level of access corresponds to that 
profile?

> That could be a query/response or it could be notification mechanism,
> though the latter is highly inflexible and severly limiting. 

yes, but that's the point - the limitations are highly desirable in 
reducing the threat of NEA to privacy, and they don't get in the way of 
letting NEA do the job that it is designed to do.  they also have the 
advantage of making NEA a fairly trivial protocol to design and 
implement, allowing the standard to get to market much more quickly.

Keith


_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea