IETF Logo Mail Archive

Re: [secdir] [Isms] secdir reviewofdraft-ietf-isms-transport-security-model-12

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 08 May 2009 21:42 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 942843A67FD; Fri, 8 May 2009 14:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.793
X-Spam-Level:
X-Spam-Status: No, score=-1.793 tagged_above=-999 required=5 tests=[AWL=-0.144, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_35=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VcCfKlImNOzp; Fri, 8 May 2009 14:42:40 -0700 (PDT)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 7DE063A6C4F; Fri, 8 May 2009 14:42:40 -0700 (PDT)
Received: from localhost (demetrius4.jacobs-university.de [212.201.44.49]) by hermes.jacobs-university.de (Postfix) with ESMTP id B7D49C0218; Fri, 8 May 2009 23:44:08 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius4.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id XzlQWnAS0c2U; Fri, 8 May 2009 23:44:07 +0200 (CEST)
Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 9FA30C0212; Fri, 8 May 2009 23:44:06 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id F0A20AE404D; Fri, 8 May 2009 23:43:46 +0200 (CEST)
Date: Fri, 08 May 2009 23:43:46 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: "tom.petch" <cfinss@dial.pipex.com>
Message-ID: <20090508214346.GB28541@elstar.local>
Mail-Followup-To: "tom.petch" <cfinss@dial.pipex.com>, Barry Leiba <barryleiba@computer.org>, "isms@ietf.org" <isms@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
References: <6c9fcc2a0905021333j3dd58821v4726af092e30c1c1@mail.gmail.com> <200905051750.n45HorPw023985@mx02.srv.cs.cmu.edu> <0FBA56D16F71437450BC2779@minbar.fac.cs.cmu.edu> <06a701c9cdb7$aed00f30$0600a8c0@china.huawei.com> <9abf48a60905051303h1543f323u1a8e3679445384f6@mail.gmail.com> <007f01c9cffe$0aa68da0$0601a8c0@allison>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <007f01c9cffe$0aa68da0$0601a8c0@allison>
User-Agent: Mutt/1.5.19 (2009-01-05)
Cc: Barry Leiba <barryleiba@computer.org>, "isms@ietf.org" <isms@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] [Isms] secdir reviewofdraft-ietf-isms-transport-security-model-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2009 21:42:41 -0000

On Fri, May 08, 2009 at 06:56:27PM +0200, tom.petch wrote:
 
> The idea of Models in SNMP is to be able to mix and match.  In
> practice, this has not worked - USM with sshTM will not function,
> regardless of whether it is secure or not.

Not sure I understand why. Can you explain?

> Thus TLS has session cache and resumption. Will that work with TSM?

Yes, this will just work fine since it is transparent. You can add
session resumption to SSH and it will work just fine with sshtm.

Of course, sometimes we design for extensibility and when we need it,
we realize the shortcomings of the design. But there are also things
that just work fine - you are painting a picture here with black
colors. Even though it is difficult to get exensibility right, I think
not trying to be extensible is not an alternative.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.31.3 | Report a Bug | By Email | System Status