RE: Multiple TAAs

["Thomas Hardjono" <thardjono@xxxxxxxxxxx>]

> -----Original Message-----
> From: owner-ietf-trust-anchor@xxxxxxxxxxxxx 
> [mailto:owner-ietf-trust-anchor@xxxxxxxxxxxxx] On Behalf Of 
> Stephen Kent
> Sent: Monday, September 10, 2007 12:13 PM
> To: Black_David@xxxxxxx
> Cc: ietf-trust-anchor@xxxxxxxx
> Subject: RE: Multiple TAAs
> 
.....
> >
> >And let's assume that the enterprise security administrator 
> is also the 
> >only authorized source for IKE authentication TA management, 
> since that 
> >comes up in the next paragraph.  There are three classes of
> >entities:
> >	- device vendor
> >	- application proxy vendors
> >	- enterprise security administrator
> >and there's no overlap among the classes, although I could 
> envision the 
> >device vendor supplying some initial application proxies with the 
> >device.
> 
> I would expect that the device vendor might also be a proxy 
> supplier, both initially and perhaps throughout the life of 
> the product.

Hmmm, there are plenty of Enterprises who only allow their IT guys to
perform any and all updates (software and firmware).  Employees are
prohibited from installing anything. These IT guys turn-off Windows auto
update on all clients. In such Enterprises, the IT guy is the sole TAA.
He/she downloads all software and firmware updates, tests them and then
(if ok) pushes them out to the client machines through the internal
network.

However, this is perhaps orthogonal to a technically sound TAM solution
(which should allow the Enterprise to designate multiple TAAs).

/thomas/