Re: [secdir] Secdir review of draft-ietf-isms-radius-vacm-09
"Dave Nelson" <d.b.nelson@comcast.net> Tue, 17 August 2010 11:52 UTC
Return-Path: <d.b.nelson@comcast.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 337E63A6955 for <secdir@core3.amsl.com>; Tue, 17 Aug 2010 04:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.81
X-Spam-Level:
X-Spam-Status: No, score=-100.81 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RFtYG3ONXv1c for <secdir@core3.amsl.com>; Tue, 17 Aug 2010 04:52:37 -0700 (PDT)
Received: from qmta06.westchester.pa.mail.comcast.net (qmta06.westchester.pa.mail.comcast.net [76.96.62.56]) by core3.amsl.com (Postfix) with ESMTP id 4813E3A6951 for <secdir@ietf.org>; Tue, 17 Aug 2010 04:52:37 -0700 (PDT)
Received: from omta18.westchester.pa.mail.comcast.net ([76.96.62.90]) by qmta06.westchester.pa.mail.comcast.net with comcast id vPNn1e0091wpRvQ56PtD9K; Tue, 17 Aug 2010 11:53:13 +0000
Received: from NEWTON603 ([24.218.90.45]) by omta18.westchester.pa.mail.comcast.net with comcast id vPtD1e00A0yip6Y3ePtDCu; Tue, 17 Aug 2010 11:53:13 +0000
From: Dave Nelson <d.b.nelson@comcast.net>
To: 'Magnus Nyström' <magnusn@gmail.com>, secdir@ietf.org, iesg@ietf.org, draft-ietf-isms-radius-vacm@tools.ietf.org
References: <AANLkTikOLU6mAXVMY-kJAHO4_9qiY+UFQZTAw2UWLM1d@mail.gmail.com>
Date: Tue, 17 Aug 2010 07:53:22 -0400
Message-ID: <7105B213EC2849C18053B4A2A2D79E24@NEWTON603>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <AANLkTikOLU6mAXVMY-kJAHO4_9qiY+UFQZTAw2UWLM1d@mail.gmail.com>
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
Thread-Index: Acs9ztU4KJSZdzpxR+KgJaBq41QpigAMrMEg
Subject: Re: [secdir] Secdir review of draft-ietf-isms-radius-vacm-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 11:52:38 -0000
Magnus Nyström writes... > 3. Current sub-subsection 7.2.1 seems to indicate that neither > the User-Name nor the Management-Policy-ID are required (says > "or equivalent"). Please clarify if this is inconsistent with > the text in 7.2 or not (maybe I'm missing something here). Use of the term "or equivalent" is intended to cover the use of other AAA protocols besides RADIUS. For use with RADIUS, the User-Name and Management-Policy-Id are required to use mechanism described in this document. For some other, hypothetical, AAA service the equivalent attributes may have other names. This is just a bit of editorial future-proofing. The other IETF standard AAA protocol, Diameter, inherits the RADIUS attribute space, so these attributes are also available via Diamter. > 4. In Section 7.2.3, how many groups can a user be a member of > for a given securityModel in this design? Only one? RFC 5607 allows zero or one instance of the Management-Policy-Id to occur in any RADIUS Access-Accept message, so for RADIUS usage it would be only one.
- [secdir] Secdir review of draft-ietf-isms-radius-… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-isms-rad… Dave Nelson
- Re: [secdir] Secdir review of draft-ietf-isms-rad… Randy Presuhn
- Re: [secdir] Secdir review of draft-ietf-isms-rad… Randy Presuhn