Re: [Isms] ISMS session summary
Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de> Thu, 13 July 2006 19:50 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G17Cx-0005jm-82; Thu, 13 Jul 2006 15:50:47 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G16f3-00010E-RA for isms@ietf.org; Thu, 13 Jul 2006 15:15:45 -0400
Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G16Qb-0008Dk-OC for isms@ietf.org; Thu, 13 Jul 2006 15:00:52 -0400
Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 016A155CFD; Thu, 13 Jul 2006 21:00:49 +0200 (CEST)
Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 11351-06; Thu, 13 Jul 2006 21:00:46 +0200 (CEST)
Received: from h1fcf-net84db.lab.risq.net (unknown [10.222.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id ED488395A8; Thu, 13 Jul 2006 21:00:45 +0200 (CEST)
Received: by h1fcf-net84db.lab.risq.net (Postfix, from userid 501) id 8986578A680; Thu, 13 Jul 2006 21:00:40 +0200 (CEST)
Date: Thu, 13 Jul 2006 21:00:40 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>
To: Eliot Lear <lear@cisco.com>
Subject: Re: [Isms] ISMS session summary
Message-ID: <20060713190040.GA1120@h1fcf-net84db.lab.risq.net>
Mail-Followup-To: Eliot Lear <lear@cisco.com>, Juergen Quittek <quittek@netlab.nec.de>, isms@ietf.org
References: <C07B45A0E001A011540F7803@h0ad6-net84db.lab.risq.net> <44B69357.6050507@cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <44B69357.6050507@cisco.com>
User-Agent: Mutt/1.5.10i
X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Cc: isms@ietf.org
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: j.schoenwaelder@iu-bremen.de
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org
On Thu, Jul 13, 2006 at 08:39:19PM +0200, Eliot Lear wrote:
> A simple approach to take here would be to say that if you're using
> Kerberos to authenticate you must fill in appropriate VACM tables OOB.
> This would, therefore, involve a bunch of null functions for Kerberos.
Two observations:
(a) The security name to group name mapping is a VACM feature and once
you are in VACM in our architecture, you surely do not know
anymore what was actually used down there in the SSH layer to
actually perform the authentication. We do have a layered
architecture and we should not break up those layers.
(b) Our charter currently says:
Work on new access control models or centralized administration of
View-based Access Control Model (VACM) rules and mappings is outside
the scope of the working group.
As much as I understand the desire to have a security name to group
name mapping coming from AAA, it seems that we are currently not
chartered to provide it. Note that relevant RADIUS attributes have
been proposed to the radext WG and people really interested to have
support should read
draft-nelson-radius-management-authorization-03.txt
and help David Nelson to move this document along in RADEXT.
/js
--
Juergen Schoenwaelder International University Bremen
<http://www.eecs.iu-bremen.de/> P.O. Box 750 561, 28725 Bremen, Germany
_______________________________________________
Isms mailing list
Isms@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms
- [Isms] IPFIX session summary Juergen Quittek
- Re: [Isms] ISMS session summary Juergen Schoenwaelder
- Re: [Isms] ISMS session summary Eliot Lear
- Re: [Isms] ISMS session summary Eliot Lear
- Re: [Isms] ISMS session summary Juergen Schoenwaelder