Vidya Narayanan wrote:
I am very apprehensive of achieving any meaningful PA-level
interoperability. I am not sure what minimum set of PA attributes will
be standardized, but, whatever that set is, I doubt will be sufficient
to provide any acceptable level of security, even for the endpoints.
This is not surprising, since you have said that you don't see
any security value to NEA.
Even assuming ongoing standardization of vendor specific attributes,
it
is not totally realistic to assume that all applications will support
the appropriate attributes. The rate of standardization is also very
likely to be much slower than the rate of the growth in the number of
attributes needed for any continued meaningful protection.
NEA is not based on applications supporting attributes.
Attributes are supported by Posture Collectors and
Posture Validators, specialized NEA components. An AV
Posture Collector will handle attributes pertaining
to AV, perhaps by interfacing with an existing AV
application. Still, I agree that a given endpoint
will typically only support a small subset of the
universe of possible attributes. Not a problem.
As long as the endpoint supports enough attributes
that the Posture Broker can evaluate its compliance
with the posture policy, that's enough.
Thanks,
Steve
-----Original Message-----
From: Narayanan, Vidya [mailto:vidyan(_at_)qualcomm(_dot_)com]
Sent: Monday, October 16, 2006 5:06 PM
To: Sam Hartman; Frank Yeh Jr
Cc: Hardie, Ted; nea(_at_)ietf(_dot_)org; ietf(_at_)ietf(_dot_)org
Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Sam,
-----Original Message-----
From: Sam Hartman [mailto:hartmans-ietf(_at_)mit(_dot_)edu]
Sent: Friday, October 13, 2006 12:43 PM
To: Frank Yeh Jr
Cc: Hardie, Ted; nea(_at_)ietf(_dot_)org; ietf(_at_)ietf(_dot_)org
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
"Frank" == Frank Yeh <fyeh(_at_)us(_dot_)ibm(_dot_)com> writes:
Frank> Standardized VS vendor-specific attributes is not
something that needs to be
Frank> solved today. Solutions can start with
vendor-specific and migrate toward a
Frank> standard, if one develops, without changing the
protocol. The specification
Frank> should not preclude the addition of standardized
attributes. IE the
Frank> specification is like an alphabet, attributes are
like vocabulary. You can add
Frank> new words without changing the letters.
One of the things coming out of the most recent BOF was a
strong desire for PA-level interoperability. That can be
accomplished through standardized attributes or
vendor-specific attributes that are sufficiently well
documented (and not subject to patents) that third parties
can implement collectors or analysis tools that interoperate
with the vendor tools for the vendor attributes.
Will we be able to meet these interoperability goals? Why or why not?
I am very apprehensive of achieving any meaningful PA-level
interoperability. I am not sure what minimum set of PA attributes will
be standardized, but, whatever that set is, I doubt will be sufficient
to provide any acceptable level of security, even for the endpoints.
Even assuming ongoing standardization of vendor specific attributes, it
is not totally realistic to assume that all applications will support
the appropriate attributes. The rate of standardization is also very
likely to be much slower than the rate of the growth in the number of
attributes needed for any continued meaningful protection.
Regards,
Vidya
_______________________________________________
Nea mailing list
Nea(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/nea
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf