On Sat, Mar 09, 2019 at 09:35:51AM -0500, Keith Moore wrote: > On 3/8/19 2:55 PM, Viktor Dukhovni wrote: > > > The problem isn't DNS, it is that we lack a broadly applicable > > technology that most organizations can use to expose fine-grained > > access control for configuration data. > > That's an interesting observation and a constructive suggestion. I don't > think it addresses the entire problem, but it definitely takes a stab at > part of it. [...] Self-service tooling *requires* fine-grained authorization. No fine-grained authz -> no self-service tooling -> users must call for help. The secret to (sys)admin. cost reduction is self-service tooling. Now, it's hard for an RFC to say much about how authz is done in the backend, even when using protocols like OAuth. But without a widely used (and copied) authz system, we'll get nowhere. Each organization / vendor is an island with their own [expensive] tooling. > Beyond those issues, I observe that many small networks don't bother with > DNS because it's not understood and/or seen as too much trouble. [...] Everything has to be turn-key that can be. And everything has to have self-service tooling. This requires a comprehensive authz technology. As it happens, I hope to publish a paper on this topic soon, describing a candidate authz system into which I've sunk much of the past few years of my work. (Hopefully my client will open source much of it.) I need a decent venue for this paper, preferably one w/o a pay-wall. Suggestions welcomed. Nico --
