Vidya Narayanan wrote: > I am very apprehensive of achieving any meaningful PA-level > interoperability. I am not sure what minimum set of PA attributes will > be standardized, but, whatever that set is, I doubt will be sufficient > to provide any acceptable level of security, even for the endpoints. This is not surprising, since you have said that you don't see any security value to NEA. > Even assuming ongoing standardization of vendor specific attributes, it > is not totally realistic to assume that all applications will support > the appropriate attributes. The rate of standardization is also very > likely to be much slower than the rate of the growth in the number of > attributes needed for any continued meaningful protection. NEA is not based on applications supporting attributes. Attributes are supported by Posture Collectors and Posture Validators, specialized NEA components. An AV Posture Collector will handle attributes pertaining to AV, perhaps by interfacing with an existing AV application. Still, I agree that a given endpoint will typically only support a small subset of the universe of possible attributes. Not a problem. As long as the endpoint supports enough attributes that the Posture Broker can evaluate its compliance with the posture policy, that's enough. Thanks, Steve -----Original Message----- From: Narayanan, Vidya [mailto:vidyan@xxxxxxxxxxxx] Sent: Monday, October 16, 2006 5:06 PM To: Sam Hartman; Frank Yeh Jr Cc: Hardie, Ted; nea@xxxxxxxx; ietf@xxxxxxxx Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) Sam, > -----Original Message----- > From: Sam Hartman [mailto:hartmans-ietf@xxxxxxx] > Sent: Friday, October 13, 2006 12:43 PM > To: Frank Yeh Jr > Cc: Hardie, Ted; nea@xxxxxxxx; ietf@xxxxxxxx > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > >>>>> "Frank" == Frank Yeh <fyeh@xxxxxxxxxx> writes: > > Frank> Standardized VS vendor-specific attributes is not > something that needs to be > Frank> solved today. Solutions can start with > vendor-specific and migrate toward a > Frank> standard, if one develops, without changing the > protocol. The specification > Frank> should not preclude the addition of standardized > attributes. IE the > Frank> specification is like an alphabet, attributes are > like vocabulary. You can add > Frank> new words without changing the letters. > > > One of the things coming out of the most recent BOF was a > strong desire for PA-level interoperability. That can be > accomplished through standardized attributes or > vendor-specific attributes that are sufficiently well > documented (and not subject to patents) that third parties > can implement collectors or analysis tools that interoperate > with the vendor tools for the vendor attributes. > > Will we be able to meet these interoperability goals? Why or why not? > I am very apprehensive of achieving any meaningful PA-level interoperability. I am not sure what minimum set of PA attributes will be standardized, but, whatever that set is, I doubt will be sufficient to provide any acceptable level of security, even for the endpoints. Even assuming ongoing standardization of vendor specific attributes, it is not totally realistic to assume that all applications will support the appropriate attributes. The rate of standardization is also very likely to be much slower than the rate of the growth in the number of attributes needed for any continued meaningful protection. Regards, Vidya _______________________________________________ Nea mailing list Nea@xxxxxxxx https://www1.ietf.org/mailman/listinfo/nea _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf