Re: Authentication, access control, and key distribution

["George M. Jones" <gmjones@mitre.org>]

On Nov 18, 2004, at 10:34 AM, David B Harrington wrote:

> Hi George,
>
> You pointed out that there are two documents in development:
> "There are two things/docs to come out of this.  One is Merike's doc,
> which is
> striclty a current practices survey.   Two is the capabiliites needed
> to support
> those practices.    This disccuion is useful as input to both docs.
>
> Then you constrain input to only one of the documents:
> "Can you phrase those in the form of capabilities ("supports
> fallback to local authentication in the event that network
> based authentication mechanisms are unavailable") ?  If so,
> we can discuss."

I don't think I was *constraining* input to a single document....
my mind was on the capabilities so I  *asked* ("can you...")
for formatted input on that as a discussion starter.

...

> Why do we need to phrase this in terms of device capabilities to get
> it discussed?
> I suggest that identifying the best current practice comes first, then
> device capabilities to support those practices should be discussed.

Seems like a reasonable plan and in fact what I think Merike is working 
on.

In the end, I think it's going to be hard to talk about practices 
without
referencing capabilities and visa versa.   The split in docs is being
done for several reasons:

  - It is considered relatively easy to get a list of what operators 
are doing today.
    Either you are you are not doing something.   make lists.  
Correlate.

 - It seems that practices are something of the chicken (as in "and the 
egg").
   A good place to start.

 - The ops document will provide a good framework on which to hang
   practice docs.

- The ops document will provide justification for the capabilities docs.

- The desire to keep the documents relatively small.

Feel free to discuss in an unconstrained manner.

---george