Re: [Isms] Multiple user namespaces (was RE: pre11 comments)

To: "David B. Nelson" <d.b.nelson at comcast.net>
Subject: Re: [Isms] Multiple user namespaces (was RE: pre11 comments)
From: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
Date: Mon, 28 Jul 2008 16:42:29 +0200
Cc: isms at ietf.org
Delivered-to: ietfarch-isms-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
In-reply-to: <020e01c8f0bb$274e69a0$6401a8c0@NEWTON603>
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Mail-followup-to: "David B. Nelson" <d.b.nelson at comcast.net>, isms at ietf.org
References: <20080728111952.GB7785@elstar.local> <020e01c8f0bb$274e69a0$6401a8c0@NEWTON603>
Reply-to: j.schoenwaelder at jacobs-university.de
Sender: isms-bounces at ietf.org
User-agent: Mutt/1.5.18 (2008-05-17)

On Mon, Jul 28, 2008 at 10:06:38AM -0400, David B. Nelson wrote:

> > I assume we more or less agree that we have to be able to
> > differentiate between names coming from different secure transport
> > models. Any violent disagreement with this statement?
> 
> Yes.  I disagree.  This has nothing to do with different secure transport
> models and everything to do with the underlying source of user identity.
> The "tagging" needed to disambiguate the usernames needs to be tied not to
> the protocol but to the source or identity, e.g. an administrative realm.
> When the source of identity is the local database of the secure transport
> implementation, we take the shortcut (incorrect, IMHO) of "tagging" with the
> protocol name.

Speaking as technical contributor...

Some time ago, we decided to treat SSH as a black box that delivers a
name that we can later (perhaps translated) use as a securityName with
securityLevel authPriv and that we do not peek into the internals of
SSH to say validate the securityLevel. Are you now saying we have to
peek into SSH internals to figure out which "realm" a name provided by
SSH belongs to?

> Another is the source, syntax and semantics of the "tagging"
> information.

Playing devil's advocate: Why do we need have to standardize this? 

As far as I can tell, the mapped name only has to be consistent with
the local ACM policy. In USM, the authenticated name is usmUserName
and the usmUserTable allows me to map this name to a security name. In
other words, with USM I can already today map usmUserName "schoenw" to
"usm:schoenw" if I like to. Likewise, with the snmpCommunityTable I
can map the community string "schoenw" to "csm+schoenw" if I want to.
With a mapping table in TSM, I may be able (depending on the table
structure) to map "schoenw" authenticated by an SSH transport to
"ssh_schoenw". Is this not good enough?

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] Multiple user namespaces
  - From: David B. Nelson
- Re: [Isms] Multiple user namespaces (was RE: pre11 comments)
  - From: David B. Nelson

References:
- Re: [Isms] pre11 comments
  - From: Juergen Schoenwaelder
- [Isms] Multiple user namespaces (was RE: pre11 comments)
  - From: David B. Nelson

Prev by Date: [Isms] Multiple user namespaces (was RE: pre11 comments)
Next by Date: Re: [Isms] Multiple user namespaces (was RE: pre11 comments)
Previous by thread: [Isms] Multiple user namespaces (was RE: pre11 comments)
Next by thread: Re: [Isms] Multiple user namespaces (was RE: pre11 comments)
Index(es):
- Date
- Thread

Re: [Isms] Multiple user namespaces (was RE: pre11 comments)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.