Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)

To: Douglas Otis <dotis at mail-abuse.org>
Subject: Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
From: Alan DeKok <aland at deployingradius.com>
Date: Wed, 20 Dec 2006 15:20:53 -0800
Cc: nea at ietf.org, Keith Moore <moore at cs.utk.edu>
In-reply-to: <64DE0F22-BD54-4989-9129-16F84BB8C246@mail-abuse.org>
List-archive: <http://www1.ietf.org/pipermail/nea>
List-help: <mailto:nea-request@ietf.org?subject=help>
List-id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-post: <mailto:nea@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
References: <A6398B0DB62A474C82F61554EE93728701DB40C6@proton.jnpr.net> <4580993D.1070405@deployingradius.com> <a96eb4980612131635y15836e24n48d43d2b6bfa0814@mail.gmail.com> <4580A0C4.2000605@cs.utk.edu> <a96eb4980612131715w22400d97j80624eab057ed24e@mail.gmail.com> <4586D002.3050800@deployingradius.com> <a96eb4980612181108j4c1f31fcia092c120e8ce0485@mail.gmail.com> <4586F499.10101@deployingradius.com> <a96eb4980612181814y7292309erc93af6ea2f16d20b@mail.gmail.com> <a96eb4980612190545j1582c919y5191875499bf453d@mail.gmail.com> <a96eb4980612190547g31081a42v3cbe44891f246029@mail.gmail.com> <4587F272.8020701@cs.utk.edu> <45882DDB.6060901@deployingradius.com> <4588350B.9030008@cs.utk.edu> <458843D7.3020205@deployingradius.com> <458847C2.7060808@cs.utk.edu> <64DE0F22-BD54-4989-9129-16F84BB8C246@mail-abuse.org>
User-agent: Thunderbird 1.5.0.8 (Windows/20061025)

Douglas Otis wrote:
>
> It seems the entire exchange could be an exchanging certificates.  The
> provider offers certificates in sets,

  Why sets?  Why not just one certificate?

  We can presume that NEA client policy updates are much rarer than
network connection requests (i.e. posture assessments).  In that case,
the client can be issued a certificate for a particular network once it
has downloaded the latest set of updates.  That certificate may then be
used for repeated posture assessments.

  i.e. the NEA server issues the client a certificate that validates a
particular posture (or set of provider certificates).  Once that's done,
the client only has to present one certificate to the NEA server, rather
than a set.

  When the NEA server decided that it has new updates available, it can
compare the date of "last known update" to the "client certificate issue
date".  If the clients certificate was issued before the last update,
then the client needs remediation.  Otherwise, the client doesn't need
remediation.  The process then repeats.

  Similarly, if the client notices that updates are available, it can
invalidate it's own certificate (i.e. by not using it), at which point
the NEA server will ask it to perform remediation, and then issue a new
certificate.

> perhaps by reference based upon a
> service URI, OS, and service name, where clients then request and verify
> a producer of the certificate which may be some third-party.  Within the
> certificates held by the provider, there should be a time-stamp, their
> identity (perhaps hostmaster@), the type of service providing the
> certificate, suitable OS, and resources needed to obtain the service
> that in the end generates a certificate for the client based upon the
> client's identity.

  Yes, although it's not clear what provider posture information (if
any) needs to be available to the NEA server.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea

Follow-Ups:
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Douglas Otis

References:
- [Nea] Draft minutes from IETF 67 NEA WG meeting
  - From: Stephen Hanna
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Alan DeKok
- NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Alan DeKok
- Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Mike Fratto
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Keith Moore
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Alan DeKok
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Keith Moore
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Alan DeKok
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Keith Moore
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Douglas Otis

Prev by Date: Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
Next by Date: Re: [Nea] NEA charter query
Previous by thread: Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
Next by thread: Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
Index(es):
- Date
- Thread

Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.