ietf-openproxy
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Authentication Requirements in opes-authorization-00 (section 4.2)

2002-10-23 08:14:46
from [Oskar Batuner] [Permanent Link] 

Eric, technically you right - if we are looking only at transport
protocols many things in this draft are not relevant. But
essentially OPES (as well as WEBI and CDN) works on "overlay
network" - the architecture describes system structure built
above application level protocol. This structure sets requirements
for protocols and policies. In this sense one might look at
policies as a very high level protocols that control
communication of certain application level information.

IETF often ventures beyond protocol level considerations. A good
example is RFC 3238 - IAB Considerations for OPES. Out of all
considerations listed in the summary only one - 2.2, IP-layer
addressing - is talking about protocol level requirements, and
even this one is based on policy considerations that are
not dictated by the data transfer needs.

Again, I agree that many OPES drafts do have some inconsistencies
that are due to the fact that each of these drafts deals with
variety of protocol levels. Comments like this one may help
to improve them - but we should always keep in mind that this
group is working not on protocol, but on multilevel
infrastructure.

Oskar



-----Original Message-----
From: owner-ietf-openproxy(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-openproxy(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Eric 
Burger
Sent: Monday, October 21, 2002 10:35 PM
To: OPES Group
Subject: Authentication Requirements in opes-authorization-00 (section
4.2)



Section 4.2 states, "The service provider MUST keep a log of all requests
for OPES services".

Last I looked, the IETF is a protocol standards body, not a legislative
body.  Unless the *protocol* REQUIRES the service provider to
keep the log,
this is an unenforceable requirement.  I agree that we need to state our
sentiment.  A better place may be in the security section.

Likewise, "The trusted users must be authenticated before being allowed to
take actions" is a similar policy, not protocol statement.  The
good news is
"must" is not capitalized.  However, this statement again does
not belong in
this section, and should be a SHOULD.

The next paragraph is a place where we can have protocol machinery: "The
PEP's should be authenticated before they receive policy rules".  If we
care, then I would propose, "Because of the sensitivity of user profiles,
the PEP Interface between the PEP and the PDP MUST use a secure transport
protocol."
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Privacy Considerations (4.5) in opes-authorization-00, Abbie Barbir
Next by Date:  Some comments on draft-ietf-opes-threats-00, Reinaldo Penno
Previous by Thread:  Authentication Requirements in opes-authorization-00 (section 4.2), Eric Burger
Next by Thread:  Re: Authentication Requirements in opes-authorization-00 (section 4.2), Markus Hofmann
Indexes:  [Date] [Thread] [Top] [All Lists]