Re: [Isms] pre11 comments

To: "David B. Nelson" <dnelson at elbrysnetworks.com>
Subject: Re: [Isms] pre11 comments
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Thu, 03 Jul 2008 16:10:49 -0700
Cc: isms at ietf.org
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
Dkim-signature: v=0.5; a=rsa-sha1; c=relaxed; d=hardakers.net; h=received:from:to:cc:subject:organization:references:date:in-reply-to:message-id:user-agent:mime-version:content-type; q=dns/txt; s=wesmail; bh=pXBUfyk6BQNM2zj163Fe8LTggPk=; b=iJCKnM8SDU6UUE4gebWTFQtulpp0r5Vr7Ps2L3J/qDomgDdFQPjZ0cJtvDvJ/R354vRNiH8Wt0gmV1BrFIBH0625WpQypliq+fMVaA0WGn2Zm0Q7pSMNqLqZSWmIPfcG9dt3kr9l3+Gfmr64L56l8N9B6XffsdJ6+j0zVn/c57E=
In-reply-to: <4F599A473EF04ECD99F4C358B291245E@xpsuperdvd2> (David B. Nelson's message of "Thu, 3 Jul 2008 18:40:20 -0400")
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <006401c8dc30$bac0af30$51f780de@china.huawei.com> <sd63rmy615.fsf@wes.hardakers.net> <4F599A473EF04ECD99F4C358B291245E@xpsuperdvd2>
Sender: isms-bounces at ietf.org
User-agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.21 (linux, no MULE)

>>>>> On Thu, 3 Jul 2008 18:40:20 -0400, "David B. Nelson" <dnelson at elbrysnetworks.com> said:

>> This all means that *if* we want to allow separate authorization
>> levels for different secure transports (and I'll argue that we
>> do want to)...

DBN> Well, yeah, but where do we stop?

Right now the VACM and the security model can be used together to grant
or deny access based on a particular security model.  With a generic
"any sub-transport will do" security model not being put in place (TSM)
then we loose that ability.  I'm not trying to gain ground by doing
cipher-suite selection (that can still be left up to the individual
transport model's configuration since it's very specific to it).  What I
do think we're loosing, though, is the ability to select an
authorization set based on the protocol being used itself (like we used
be able to select between USM and KSM).  I don't think we should go
further than that, because further than that wasn't ever in the original
SNMPv3 architecture either.

-- 
Wes Hardaker
Sparta, Inc.
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] pre11 comments
  - From: David B. Nelson

References:
- [Isms] pre11 comments
  - From: David Harrington
- Re: [Isms] pre11 comments
  - From: Wes Hardaker
- Re: [Isms] pre11 comments
  - From: David B. Nelson

Prev by Date: Re: [Isms] pre11 comments
Next by Date: Re: [Isms] pre11 comments
Previous by thread: Re: [Isms] pre11 comments
Next by thread: Re: [Isms] pre11 comments
Index(es):
- Date
- Thread

Re: [Isms] pre11 comments

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.