[Nea] REQ: Section 3

To: nea at ietf.org
Subject: [Nea] REQ: Section 3
From: Alan DeKok <aland at deployingradius.com>
Date: Wed, 10 Jan 2007 23:47:39 -0500
List-archive: <http://www1.ietf.org/pipermail/nea>
List-help: <mailto:nea-request@ietf.org?subject=help>
List-id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-post: <mailto:nea@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

  The comments in Section 3.1 about lying endpoints should reference
section 8.1.1, and state that the issue is dealt with in more detail
there.  Without additional explanation, the current text seems to be
saying "we'll secure the system by asking it questions... but it can
lie.  Oh well."  Adding a reference to the security section indicates
that there may be mitigating circumstances.

  Much of Section 3.2 appears to directly contradict the charter.

      ... the use of NEA
      technologies may not apply in a variety of situations possible
      on the Internet

  The charter says that "NEA is applicable to computing enterprise
environments, ... All other cases are outside the scope of the NEA charter,"

      Therefore, this section discusses some of
      the scenarios where NEA is most likely to be applicable and
      some where it may not.

  No, the charter says that NEA is applicable only to certain scenarios.
 The requirements document MUST says that all non-charter scenarios are
outside of the scope of the NEA applicability.  The requirements
document SHOULD say that the ISP, etc. scenarios are explicitely not
being considered.  The document SHOULD say that NEA SHOULD NOT be used
in those scenarios.

      ... Environments where
      the Endpoint is owned by a party (possibly even the User)
      where the party has explicitly expressed a desire to conform
      to the policies established by a network or service provider

  No.  The charter states that NEA is not applicable to the network
provider or service provider market.  This text can mislead the reader
into believing that NEA is applicable to scenarios where the charter
says it is not applicable.

      ... Conversely, some environments where NEA is not expected to be
      applicable would be environments where the Endpoint is owned
      by a User and has not agreed to conform to a network
      providerïs policies.

  This text (and other similar text) appears to confuse the issue of NEA
or posture assesment with network access.  If I choose to not conform
with a network's policies by (say) not providing a correct password, the
network provider will not permit me to access the network.  This
scenario should be explicitely mentioned in the document: You do not
have to do NEA.  You do not have to agree to the network owners
policies.  But the network owner does not have to give you access.

  i.e. It's confusing to say "NEA is not applicable" when some does not
agree to use NEA.  NEA *is* applicable if it meets the charter
requirements, and the network owner demands that NEA be used.  Instead,
the document should say "NEA may be applicable, but MUST NOT be used if
the Endpoint does not agree to an NEA protocol exchange".

  Text like that would simplify much of the discussion around the
various scenarios.  It would cover legacy systems not running NEA,
systems running NEA but from a differing network, and systems running
NEA where the owner of the endpoint chooses not to comply.

      ... An example might include when the above
      contractor visits any public area like the local coffee shop
      which offers Internet access.  This coffee shop would not be
      expected to be able to use NEA technologies to assess the
      Posture of the contractorïs laptop.

  No, that is forbidden by the charter.  Privacy is not the issue.  The
charter states "... we do not know that NEA would be useful in such cases."

  i.e. Non-charter scenarios have many issues, some of which are
unknown.  Non-charter use of NEA is forbidden outright, and should not
be discussed in the document other than to say it is forbidden.

      Other environments are more difficult to determine whether NEA
      is a good fit, so the NEA WG intends to steer clear of such
      areas.

  Again, it is forbidden by charter.  Saying the WG has intentions is
saying we might steer clear... or we might not.

      ... In particular environments where the Owners of the
      Endpoint, the network infrastructure and/or the network
      service provider are different and do not have a strong
      binding contract(s) establishing their expectations for
      conformance and willingness to disclose information to each
      other security policies.

  I'm not sure what that sentence is saying.  Maybe a missing comma?

       ... In particular, environments where the Owners of the
      Endpoint, the network infrastructure and/or the network
      service provider are different and do not have a strong
      binding contract(s) establishing their expectations for
      conformance and willingness to disclose information to each
      other security policies.

  I suggest splitting the sentence into two or more shorter sentences.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea

Follow-Ups:
- RE: [Nea] REQ: Section 3
  - From: Paul Sangster

Prev by Date: [Nea] REQ: Section 2
Next by Date: [Nea] REQ: Section 4
Previous by thread: [Nea] REQ: Section 2
Next by thread: RE: [Nea] REQ: Section 3
Index(es):
- Date
- Thread

[Nea] REQ: Section 3

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.