At 9:18 AM +0300 8/12/07, Yoav Nir wrote:
In Chicago there was some controversy about whether multiple
administrators should be in scope. This charter draft says that
they're in. I'm not saying they shouldn't be, but it does add
complexity.
Indeed. But the complexity might be able to be contained with very
different assumptions than the ones you made.
If they're in, we need to answer big questions:
- If TAA1 adds a TA, can TAA2 delete it?
- If no, should there be "hard-delete" where it does delete it?
- If TAA1 adds a TA, and then TAA2 adds it again, and then TAA1
deletes it, is it there or not?
- Should TAA2 be able to query TAs added by TAA1?
- Should we have a delete-all command (I think that's necessary for
the store-and-forward scenario)
- How does delete-all interact with multiple TAAs? Do we need a
hard-delete-all?
I would answer these questions no, yes, yes, yes, yes and yes, but
these are far from trivial.
This takes the view that the TAAs "add" and "delete" TAs. A very
different view, one that makes things a lot simpler, is that TAAs
propose additions and deletions, and the software for the recipient
of those proposals chooses whether or not to act on those proposals.
As I said at the mic in Chicago, I'm not suggesting that end users
need to think about each TAA action; they can just make policy
decisions and let the software act accordingly.
For example, assume that the user has the setting "TAA1 is more
important than TAA2". Then, in your examples:
- If TAA1 adds a TA, can TAA2 delete it?
No.
- If no, should there be "hard-delete" where it does delete it?
No. I would be against having various strengths of "add" and
"delete"; no one will be able to figure them out.
- If TAA1 adds a TA, and then TAA2 adds it again, and then TAA1
deletes it, is it there or not?
It is not.
- Should TAA2 be able to query TAs added by TAA1?
Yes. A simpler and more general mechanism is that any TAA can query
the TA store, and that store says which TAA added each TA.
- Should we have a delete-all command (I think that's necessary for
the store-and-forward scenario)
No. That would leave the user with no one to trust, including the
party that issued the delete-all. The TAM software should never leave
the user with no TAs except under dire circumstances.
- How does delete-all interact with multiple TAAs? Do we need a
hard-delete-all?
Moot; see above.
I believe that most users who have multiple TAAs could set an order
for precedence to them. I also think writing software to act on the
precedence is quite straightforward: the two rules are "only allow
delete proposals from TAAs at the same level or higher as the TAA who
added this TA" and "if a TA has been deleted, only allow it to be
re-added by a TAA at the same level or higher than the one who
deleted it".
Does this simplification seem like a good one?
--Paul Hoffman, Director
--VPN Consortium
