Keynote is an Experimental RFC (see RFC 2704, RFC 2792). I failed to see the context of this discussion since I apparently deleted the emails that preceeded this. Despite my lack of context, I did want to state a few reasons why Keynote is personally interesting to me: Steve Bellovin wrote a paper in 1999 entitled "Distributed Firewalls" that described a mechanism to build policy-based networks by leveraging the IPsec protocol. This approach addressed most of the problems that occurred with the more ambitious Policy Based Networking (PBN) approaches proposed by entities such as the DMTF's DEN. It has been used to create distributed firewall systems (e.g., see http://www.cs.columbia.edu/~angelos/Papers/df.pdf), including the construction of discrete security zones within the network infrastructure (i.e., elements of a network deployment with heightened or specialized security requirements different than the rest of the deployment). The IETF's former IPSP working group assembled several tools that can be optionally leveraged to create PBN systems using IPsec, though I perceive that their approach has imploded in the general case due to policy complexities: * RFC 3586 describes the problem space and solution requirements for developing an IPSP configuration and management framework. * RFC 2704 describes the KeyNote policy language that can optionally be used to construct PBN systems. The KeyNote implementation functions as a compliance engine and is based on RBAC techniques as encoded within PKI attribute certificates. * Use of IPsec's ESP (see RFC 4305) in Transport Mode to provide confidentiality, data origin authentication, anti-replay attack protection, and data integrity services in order to enhance network security between communicating devices (e.g., hosts-to-hosts, routers-to-routers) at a specific integrity level. The DARPA Strong Man work originally experimented with integrating KeyNote with IPsec's Internet Key Exchange (see RFC 4306) protocol in order to create a very fine-grained authentication and access control infrastructure at the network layer. These communications are secured by using IPsec in Transport Mode between communicating devices. A public implementation of this approach is freely available and is built into the Open BSD Unix OS. This approach creates a tight knit PBN system that has not been widely deployed to date, to the best of my knowledge. Nevertheless, corporations such as Boeing remain very interested in mechanisms to "Internet harden" our infrastructures, particularly now that traditional perimeter defense firewalls are becoming obsoleted by modern business practices. Specifically, we need viable mechanisms to internally create "distributed firewalls" or "security zones" inside our distributed operations environments. The DARPA Strong Man, while not widely implemented to my knowledge, nevertheless is one of the more promising approaches towards doing that. -----Original Message----- From: Stephen Kent [mailto:kent@xxxxxxx] Sent: Monday, May 22, 2006 1:02 PM To: Russ Housley Cc: ietf@xxxxxxxx Subject: Re: Fwd: TLS authorizations draft At 10:16 AM -0400 5/18/06, Russ Housley wrote: >I received this note from Angelos Keromytis regarding the >draft-housley-tls-authz-extns document. I plan to accommodate this >request unless someone raises an objection. > >Russ > OK, I'll object :-). KeyNote has no IETF status, to the best of my knowledge. It is closely aligned with the SDSI/SPKI work for which the IETF created a WG, but ultimately rejected as a standards track effort. So, I find it inappropriate to extend this standards track document to include support for a technology that, via a tenuous link, never made it to standards track status in the IETF. Steve _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf