[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Authentication Requirements in opes-authorization-00 (section 4.2)

To: "OPES Group" <ietf-openproxy@xxxxxxx>
Subject: RE: Authentication Requirements in opes-authorization-00 (section 4.2)
From: "Oskar Batuner" <batuner@xxxxxxxxx>
Date: Wed, 23 Oct 2002 11:14:43 -0400
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-openproxy/mail-archive/>
List-id: <ietf-openproxy.imc.org>
List-unsubscribe: <mailto:ietf-openproxy-request@imc.org?body=unsubscribe>
Sender: owner-ietf-openproxy@xxxxxxxxxxxx

Eric, technically you right - if we are looking only at transport
protocols many things in this draft are not relevant. But
essentially OPES (as well as WEBI and CDN) works on "overlay
network" - the architecture describes system structure built
above application level protocol. This structure sets requirements
for protocols and policies. In this sense one might look at
policies as a very high level protocols that control
communication of certain application level information.

IETF often ventures beyond protocol level considerations. A good
example is RFC 3238 - IAB Considerations for OPES. Out of all
considerations listed in the summary only one - 2.2, IP-layer
addressing - is talking about protocol level requirements, and
even this one is based on policy considerations that are
not dictated by the data transfer needs.

Again, I agree that many OPES drafts do have some inconsistencies
that are due to the fact that each of these drafts deals with
variety of protocol levels. Comments like this one may help
to improve them - but we should always keep in mind that this
group is working not on protocol, but on multilevel
infrastructure.

Oskar


> -----Original Message-----
> From: owner-ietf-openproxy@xxxxxxxxxxxx
> [mailto:owner-ietf-openproxy@xxxxxxxxxxxx]On Behalf Of Eric Burger
> Sent: Monday, October 21, 2002 10:35 PM
> To: OPES Group
> Subject: Authentication Requirements in opes-authorization-00 (section
> 4.2)
>
>
>
> Section 4.2 states, "The service provider MUST keep a log of all requests
> for OPES services".
>
> Last I looked, the IETF is a protocol standards body, not a legislative
> body.  Unless the *protocol* REQUIRES the service provider to
> keep the log,
> this is an unenforceable requirement.  I agree that we need to state our
> sentiment.  A better place may be in the security section.
>
> Likewise, "The trusted users must be authenticated before being allowed to
> take actions" is a similar policy, not protocol statement.  The
> good news is
> "must" is not capitalized.  However, this statement again does
> not belong in
> this section, and should be a SHOULD.
>
> The next paragraph is a place where we can have protocol machinery: "The
> PEP's should be authenticated before they receive policy rules".  If we
> care, then I would propose, "Because of the sensitivity of user profiles,
> the PEP Interface between the PEP and the PDP MUST use a secure transport
> protocol."

References:
- Authentication Requirements in opes-authorization-00 (section 4.2)
  - From: Eric Burger

Prev by Date: RE: Privacy Considerations (4.5) in opes-authorization-00
Next by Date: Some comments on draft-ietf-opes-threats-00
Previous by thread: Authentication Requirements in opes-authorization-00 (section 4.2)
Next by thread: Re: Authentication Requirements in opes-authorization-00 (section 4.2)
Index(es):
- Date
- Thread