ietf-openproxy
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: SMTP filtering use case

2003-02-18 09:14:23
from [Alex Rousskov] [Permanent Link] 

On Mon, 17 Feb 2003, The Purple Streak, Hilarie Orman wrote:


I think it's not as collaborative and loose and all that.  The OPES
processor is the enforcement point for privacy.  It's designed to be
a very fast and fine-grained, policy-based, application-layer
switch.  If it is not the repository for user preferences, then all
the policy enforcement and authentication requirements get pushed to
the callout servers.  This leaves the OPES processor with almost no
function - it might as well be a dumb hardware switch operating at
layers 4 through 7.


On Tue, 18 Feb 2003, Abbie Barbir wrote:


We can not assume that the callout server will be the PEP (or at
least the main one). Otherwise, we get in trobule if the callout
server is in different administration domain, etc... The way I look
at it, the OPES processor may use different callout servers based on
different services, so this means that the OPES processor must be
the PEP, the callout server can be a secondary PEP if chaining is
used.


I would suggest looking at the privacy/policy enforcement from the
content producer and content consumer points of view instead of from
OPES point of view. OPES must satisfy producer and consumer
expectations and must address IAB concerns. This does not imply that
we have to place enforcement in one place: OPES processor or OPES
server. It simply means that the policies must be enforced. The more
flexible the protocol is, the better. Neither the producer nor the
consumer care where/how exactly their policies are enforced as long as
the policies are enforced.

In some deployments, the OPES processor may be a dumb hardware switch
operating at L7. Fine! Some scenarios will make OPES server nearly as
dumb and place policy enforcement on the OPES processor. Great. If we
can permit both scenarios while enforcing the policies and addressing
concerns from producer and consumer points of view, we should do that.
At this time, it is too early to tell whether we can so let's not
assume any restrictions on policy enforcer location until we have to
introduce them.

Thanks,

Alex.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Start on OPES protocol work, Alex Rousskov
Next by Date:  RE: Start on OPES protocol work, Abbie Barbir
Previous by Thread:  RE: SMTP filtering use case, Abbie Barbir
Next by Thread:  RE: SMTP filtering use case, The Purple Streak, Hilarie Orman
Indexes:  [Date] [Thread] [Top] [All Lists]