Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)

To: Douglas Otis <dotis at mail-abuse.org>
Subject: Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
From: Alan DeKok <aland at deployingradius.com>
Date: Thu, 21 Dec 2006 23:22:10 -0800
Cc: nea at ietf.org, Keith Moore <moore at cs.utk.edu>
In-reply-to: <81549132-74A0-4A5D-B46D-A0DB10F2190D@mail-abuse.org>
List-archive: <http://www1.ietf.org/pipermail/nea>
List-help: <mailto:nea-request@ietf.org?subject=help>
List-id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-post: <mailto:nea@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
References: <A6398B0DB62A474C82F61554EE93728701DB40C6@proton.jnpr.net> <4580993D.1070405@deployingradius.com> <a96eb4980612131635y15836e24n48d43d2b6bfa0814@mail.gmail.com> <4580A0C4.2000605@cs.utk.edu> <a96eb4980612131715w22400d97j80624eab057ed24e@mail.gmail.com> <4586D002.3050800@deployingradius.com> <a96eb4980612181108j4c1f31fcia092c120e8ce0485@mail.gmail.com> <4586F499.10101@deployingradius.com> <a96eb4980612181814y7292309erc93af6ea2f16d20b@mail.gmail.com> <a96eb4980612190545j1582c919y5191875499bf453d@mail.gmail.com> <a96eb4980612190547g31081a42v3cbe44891f246029@mail.gmail.com> <4587F272.8020701@cs.utk.edu> <45882DDB.6060901@deployingradius.com> <4588350B.9030008@cs.utk.edu> <458843D7.3020205@deployingradius.com> <458847C2.7060808@cs.utk.edu> <64DE0F22-BD54-4989-9129-16F84BB8C246@mail-abuse.org> <4589C555.6050902@deployingradius.com> <DC8523EF-2801-4E39-A330-63DC56F6F430@mail-abuse.org> <458AF973.3030108@deployingradius.com> <81549132-74A0-4A5D-B46D-A0DB10F2190D@mail-abuse.org>
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

Douglas Otis wrote:
> The goal is to minimize data held within a certificate such that it
> remains possible to hold several within a single packet.

  I can't find that goal in the charter text.  If it is a goal, it's
secondary to the goals stated in the charter.

>  When the
> number of certificates becomes burdensome, an exchange reduction could
> be accomplished by a "caching" NEA server producing a certificate that
> reflects the client's certificates currently held.  That seems overly
> complex for what is likely not a problem when certificates are kept to a
> minimum size.

  Why not have one solution that works everywhere, for all cases?

> The word service might cover any number of things related to securing
> the client.  OS, applications, as well as supplemental defenses-in-depth
> could be covered by the term service.

  A word that can take on any meaning ends up meaning nothing.

> What would you suggest that it be called?  How about Comprehensive
> Assessment and Remediation (CAR) service?

  How about using the terms from the charter?

>  It
> seems a bad idea to add more points of trust at administrative levels
> and pose the potential for catastrophic security breaches.  Leveraging
> existing trusted services would be much safer, more acceptable, and
> easier to administer.

  There are no trust issues in an NEA client accepting a certificate
from an NEA server.  That certificate says *nothing* to the client.
It's just a magic token that the client needs to use to obtain access in
a particular enterpise network.

  The certificate has meaning to the NEA server that issued it.  The NEA
server "trusts" the certificate... because it issued the certificate.

  As for clients not holding a valid certificate, a contractors NEA
client is perfectly free to *not* trust the NEA server for a particular
enterprise.  In that case, please explain why the NEA server would trust
the client, and let that client on it's network.

  The answer is "it won't".  Your whole worry about trust is misplaced,
and is causing you to come up with convoluted scenarios and solutions.
Allowing a client to obtain network access if it passes posture
assessment by third parties is ridiculous: they don't own the network.
The enterprise administrator running the NEA server owns the network,
and is the ONLY one who controls network access.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea

Follow-Ups:
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Douglas Otis

References:
- [Nea] Draft minutes from IETF 67 NEA WG meeting
  - From: Stephen Hanna
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Alan DeKok
- NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Alan DeKok
- Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Mike Fratto
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Keith Moore
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Alan DeKok
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Keith Moore
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Alan DeKok
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Keith Moore
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Douglas Otis
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Alan DeKok
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Douglas Otis
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Alan DeKok
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
  - From: Douglas Otis

Prev by Date: Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
Next by Date: Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
Previous by thread: Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
Next by thread: Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
Index(es):
- Date
- Thread

Re: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.