[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Draft Charter

To: Stephen Kent <kent@xxxxxxx>
Subject: Re: Draft Charter
From: Paul Hoffman <paul.hoffman@xxxxxxxx>
Date: Mon, 13 Aug 2007 08:30:15 -0700
Cc: Yoav Nir <ynir@xxxxxxxxxxxxxx>, ietf-trust-anchor@xxxxxxxx
In-reply-to: <> <40F31377-6CFE-450C-9500-ED50163AD01A@xxxxxxxxxxxxxx>
List-archive: <http://www.vpnc.org/ietf-trust-anchor/mail-archive/>
List-id: <ietf-trust-anchor.vpnc.org>
List-unsubscribe: <mailto:ietf-trust-anchor-request@vpnc.org?body=unsubscribe>
References: <> <26D8BDE7-D21D-4B85-97D5-08FF26EF76B9@xxxxxxxxxxxxxx> <> <> <> <26D8BDE7-D21D-4B85-97D5-08FF26EF76B9@xxxxxxxxxxxxxx> <> <40F31377-6CFE-450C-9500-ED50163AD01A@xxxxxxxxxxxxxx>
Sender: owner-ietf-trust-anchor@xxxxxxxxxxxxx


At 9:46 AM -0400 8/13/07, Stephen Kent wrote:

You raise an important issue of perspective. If a TAA is an"authority" then it can try to do anything (e.g., issue any commandin a protocol), but the effects of what it does are constrained bythe authority granted to it. That authority may be defined by theuser, or by some other TAA.

Exactly right. Our format/protocol gives TAAs the ability to statewhat they want, but it is up to the receiving system to decide whatto do with that statement.

However, we do need to be very careful about the complexity ofpolices that can be expressed here. We have lots of experience inthe security environment that suggest users, even sys admins, arenot very good at managing policies once the level of complexitygrows beyond a certain point. Our requirements development processneeds to be mindful of this issue, and not assume that users willsuddenly become much better at this crucial task.


Fully agree. My view on this is that:

- We need to make the single-TAA scenario work just as expected: theend user will follow that TAA's instructions exactly.

- We need to make the multi-TAA scenario be simple. If we do notallow deletes, then there is problem, but I think we need to allowdeletes. Given that, we should specify the simplest way to handledeletes.


At 4:50 PM +0300 8/13/07, Yoav Nir wrote:

This just gave me a mental image of the next generation InternetExplorer scary pop-up with the DN of the TAA and the DN of the newTAA, a warning about possible exploits and data corruption, with thefinal question "Do you accept this trust anchor?"

If the hierarchy is defined as the user adds TAAs, then no suchinteraction is ever needed. I understand your desire for thesingle-TAA model, but please don't say that the multi-TAA model ismore complicated than it needs to be.

For example, assume that the user has the setting "TAA1 is moreimportant than TAA2". Then, in your examples:
- If TAA1 adds a TA, can TAA2 delete it?
No.
What if TAA2 knows for a fact that the private key of the TA hasbeen compromised? The example I have in my head is TAA1 isMicrosoft (or Mozilla - the browser vendor), while TAA2 is yourcompany. I can't say that one is more important than the other.

If you cannot create a hierarchy, then you are forcing the user tomake decisions for every addition or removal of any TA. There wasstrong pushback against that in Chicago. That leaves us with twooptions: go with the single-TAA model, or go with a multi-TAA modelthat does not require user interaction when new TAs are added orcurrent TAs are removed. I favor the latter.


--Paul Hoffman, Director
--VPN Consortium

References:
- Draft Charter
  - From: Turner, Sean P.
- Re: Draft Charter
  - From: Yoav Nir
- Re: Draft Charter
  - From: Paul Hoffman
- Re: Draft Charter
  - From: Stephen Kent
- Re: Draft Charter
  - From: Yoav Nir

Prev by Date: Re: Draft Charter
Previous by thread: Re: Draft Charter
Next by thread: Re: Draft Charter
Index(es):
- Date
- Thread