[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Isms] RE: Follow up on Authorize Only issue

To: "Nelson, David" <dnelson@enterasys.com>
Subject: Re: [Isms] RE: Follow up on Authorize Only issue
From: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>
Date: Wed, 26 Jul 2006 09:13:17 +0200
Cc: isms@ietf.org, radiusext@ops.ietf.org
In-reply-to: <3CFB564E055A594B82C4FE89D2156560219392@MABOSEVS2.ets.enterasys.com>
Mail-followup-to: "Nelson, David" <dnelson@enterasys.com>, isms@ietf.org, radiusext@ops.ietf.org
References: <3CFB564E055A594B82C4FE89D2156560219392@MABOSEVS2.ets.enterasys.com>
Reply-to: j.schoenwaelder@iu-bremen.de
User-agent: Mutt/1.5.10i

On Tue, Jul 25, 2006 at 05:12:10PM -0400, Nelson, David wrote:

> We've had this discussion many months ago.  My opinion hasn't changed.
> I think that providing a way for RADIUS to provision group membership
> information that can be used to map into any Access Control Subsystem
> ought to be part of the work.  Especially if it does not actually affect
> the architectural model, and is accomplished in an implementation
> dependent fashion.

My understanding is that the concept of a group name is specific to
VACM. The ASIs into the ACM subsystem do not carry such a thing as a
group name. As such, mappings of security names to group names is VACM
specific and clearly happens within VACM from an architectural point
of view.

While I do see interest in addressing this VACM security name to group
name mapping issue, I do indeed see this work item in conflict with
the current ISMS charter:

: Work on new access control models or centralized administration of
: View-based Access Control Model (VACM) rules and mappings is outside
: the scope of the working group.

Given our current charter, I like to see the RADIUS document we are
chartered to produce focus on the RADIUS SSH user authentication and
RADIUS authorization of the SSH SNMP subsystem.  Another document
detailing how RADIUS can be used by VACM to obtain security name to
group name mappings might be written and become a WG item in the
future once we have completed our current work items and we can
re-charter and take on new work.

Note that this does of course not impact the RADEXT document which may
define all attributes needed to address all the RADIUS related ISMS
requirements.

I actually like to encourage people to write a document which explains
how VACM can utilize RADIUS to provision the security name to group
name mapping and to post such a document as an individual draft. But
as explained above, this work can't become an official WG work item
under the current charter.

/js

-- 
Juergen Schoenwaelder		    International University Bremen
<http://www.eecs.iu-bremen.de/>	    P.O. Box 750 561, 28725 Bremen, Germany

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: [Isms] RE: Follow up on Authorize Only issue
  - From: "Nelson, David" <dnelson@enterasys.com>

Prev by Date: RE: [Isms] RE: Follow up on Authorize Only issue
Next by Date: Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
Previous by thread: RE: [Isms] RE: Follow up on Authorize Only issue
Next by thread: RE: [Isms] RE: Follow up on Authorize Only issue
Index(es):
- Date
- Thread