> From: Marcus Leech [mailto:mleech@xxxxxxxxxx] > I think the problem that Keith is talking about is the > problem of "unreasonable" policies, which will instantly create > a "criminal" subculture in any networks that have such > "unreasonable" policies. The people talking about NEA are generally talking about securing corporate networks. > For example, if the only ISPs that > are available to me insist that the machine I connect to > their precious network run Windows XP SP > foo, but I'm actually > a Linux user, then techniques will emerge that allow me to > fool the ISP into thinking that I'm a Windows XP SP > foo > machine. And what if the cable company decides to only broadcast Fox News? This is a political issue and not a technical one. This is not the purpose for which the specification is being proposed. The fact that some people might use it for that purpose is irrelevant. > Trying to enforce that a Turing-complete machine have > capabilities "no greater than X" might seem to an IT senior manager > to be a really good idea, but in practical terms, it can't > be done. Of course it can. Simply put a trustworthy computing partition on the machine. Palladium is more than capable of providing a proof that would be prohibitively expensive to defeat. > And if you try to do this in any but the most tightly-purposed > networks, rebellion will be the inevitable result. So you accept that the abuse scenario is not credible. > Some companies have an emerging draconian policy about users > running only "authorized" software on their machines, with > a cumbersome "approvals" process for any new software that > someone might want to run on their machine. True, I expect this to become the default. > Which includes > software written by the user themselves. That type of > policy might be "reasonable" in a call-center, or some other > tightly-purposed network, but it fails in the general case, > and true enforcement is impossible. This emerging draconian > policy is subtly re-defining that which constitutes "useful > work" in many places such that the only authorized things > you can do with your machine are to shuffle Word, > PowerPoint, and Excel documents around, surf the Web, > and e-mail your co-workers. That is a matter for you to discuss with your employer. It is not something that a standards body should consider. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf