Re: [Nea] third-party assurances

To: Keith Moore <moore at cs.utk.edu>
Subject: Re: [Nea] third-party assurances
From: Douglas Otis <dotis at mail-abuse.org>
Date: Thu, 16 Nov 2006 12:10:20 -0800
Cc: nea at ietf.org
In-reply-to: <455AB195.90900@cs.utk.edu>
List-archive: <http://www1.ietf.org/pipermail/nea>
List-help: <mailto:nea-request@ietf.org?subject=help>
List-id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-post: <mailto:nea@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
References: <A07B77F32153944CA64E551D7C23674E02E7CC67@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com> <455AB195.90900@cs.utk.edu>


On Nov 14, 2006, at 10:20 PM, Keith Moore wrote:

regarding NEA: what I might be okay with is giving authorized third- parties yes or no assurance that the host meets or does not meet their policies, without giving them fine-grained detail about what is installed on the host.

Certificates obtained from third-party services can meet this requirement. These third-party services might be as simple as a web- site and agreeing to the AUP. Clicking yes presents the time-stamped NEA certificate that is placed into the NEA repository. The NEA repository should permit profiles where the user can limit which certificates can be seen by specific NEA servers. This approach replaces modifications to DNS redirecting browsers to a specific web page, for example. Not all systems will be using a browser or be used directly by a human.

When a provider detects malicious activity, some type of non-optional compliance requirement might be instantiated. Limiting access to bots better ensures more draconian measures are not taken. The market place of access providers is not exceedingly diverse, where I share some of your concerns regarding how NEA might be misused. The number of systems running a cloned corporate version of Windows unable to apply patches is placing the network at risk. How is that problem best addressed?

It seems a good method for dealing with this problem is to enable a means for dealing with bots in an automated fashion. There is simply little a provider will do to help customers restore their pirated OS. Asking for evidence of remediation from an array of third- parties selected by these users seems to be one such approach. When there is a compliance failure, the user should be offered a list of choices, and not automated by default. The provider can indicate the services they consider acceptable by presenting their version of the certificates with their hostmaster@ id.

so the owner of a host could get details about why a host did or did not fit within a particular network's policy, but the network (if owned by another party than the owner of the host) could only get yes or no information. I would like to see this option examined further.

The only information that might be available could be limited to which certs were presented together with their time-stamp.

-Doug


_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea

References:
- RE: [Nea] IETF67 NEA WG Meeting summary
  - From: Khaja Ahmed
- Re: [Nea] IETF67 NEA WG Meeting summary
  - From: Keith Moore

Prev by Date: Re: [Nea] privacy: exposing information to owner
Next by Date: Re: Re: [Nea] privacy: exposing information to owner
Previous by thread: Re: [Nea] IETF67 NEA WG Meeting summary
Next by thread: [Nea] privacy: exposing information to owner
Index(es):
- Date
- Thread

Re: [Nea] third-party assurances

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.