Re: [Nea] WG Review: Network Endpoint Assessment (nea)
This is what I meant when I said that the charter is unclear and it must explicitly state that NEA is not meant as a protection mechanism of any sort for the network. I don't believe the Charter needs to delve into this at all. If some people see it as part of their protection mechanisms, so be it. Darryl (Dassa) Lynch The IETF has an obligation to "truth in advertising" so IMHO we should not claim protection that doesn't exist, even implicitly. Brian ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
The IETF has an obligation to WIPO and to the DMCA and well - so far its failed those pretty well I think. Todd Glassey - Original Message - From: "Brian E Carpenter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; Sent: Monday, October 09, 2006 2:07 AM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > >>>This is what I meant when I said that the charter is unclear > >>>and it must explicitly state that NEA is not meant as a > >>>protection mechanism of any sort for the network. > > > > > > I don't believe the Charter needs to delve into this at all. If some people > > see it as part of their protection mechanisms, so be it. > > > > Darryl (Dassa) Lynch > > The IETF has an obligation to "truth in advertising" so IMHO we should not > claim protection that doesn't exist, even implicitly. > > Brian > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Tood, Agreed, we should work to fix that. Fritz. - Original Message - From: "todd glassey" <[EMAIL PROTECTED]> To: "Brian E Carpenter" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; Sent: Monday, October 09, 2006 7:17 AM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) The IETF has an obligation to WIPO and to the DMCA and well - so far its failed those pretty well I think. Todd Glassey - Original Message - From: "Brian E Carpenter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; Sent: Monday, October 09, 2006 2:07 AM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > >>>This is what I meant when I said that the charter is unclear > >>>and it must explicitly state that NEA is not meant as a > >>>protection mechanism of any sort for the network. > > > > > > I don't believe the Charter needs to delve into this at all. If some people > > see it as part of their protection mechanisms, so be it. > > > > Darryl (Dassa) Lynch > > The IETF has an obligation to "truth in advertising" so IMHO we should not > claim protection that doesn't exist, even implicitly. > > Brian > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Agreed, we should work to fix that. ... The IETF has an obligation to WIPO and to the DMCA ... I can only assume this was intended as some form of joke. Brian ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
The IETF has an obligation to WIPO and to the DMCA ... I can only assume this was intended as some form of joke. regardless of intent, it should be treated as such. Keith ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
No it wasn't Brian - the WIPO IP Framework calls for a set of protections for Industrial Designs which ALL of the work that happens here is controlled by right? Otherwise, do you formally want to make a declaration as the IETF's Chair that the IETF and the ISOC are immune from Global IP Law and can pretty much do anything they want. Todd Glassey - Original Message - From: "Brian E Carpenter" <[EMAIL PROTECTED]> To: Cc: <[EMAIL PROTECTED]> Sent: Monday, October 09, 2006 7:31 AM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > Agreed, we should work to fix that. > ... > > The IETF has an obligation to WIPO and to the DMCA > ... > > I can only assume this was intended as some form of joke. > > Brian > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Fritz this is a much bigger issue than ANYONE thinks at this time and its based on the idea that the WIPO standard says that the IETF MUST be doing Industrial Design IP Models, and it only does Copyright which is a violation of the WIPO IP protection framework and the treaties ALL of the Member States have signed. Interesting eh? Todd Glassey - Original Message - From: "Fritz F. Saad" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]>; "Brian E Carpenter" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; Sent: Monday, October 09, 2006 6:58 AM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > Tood, > > > > Agreed, we should work to fix that. > > > > Fritz. > > > > - Original Message - > From: "todd glassey" <[EMAIL PROTECTED]> > To: "Brian E Carpenter" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]>; > Sent: Monday, October 09, 2006 7:17 AM > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > The IETF has an obligation to WIPO and to the DMCA and well - so far its > failed those pretty well I think. > > Todd Glassey > > - Original Message - > From: "Brian E Carpenter" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]>; > Sent: Monday, October 09, 2006 2:07 AM > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > > > >>>This is what I meant when I said that the charter is unclear > > >>>and it must explicitly state that NEA is not meant as a > > >>>protection mechanism of any sort for the network. > > > > > > > > > I don't believe the Charter needs to delve into this at all. If some > people > > > see it as part of their protection mechanisms, so be it. > > > > > > Darryl (Dassa) Lynch > > > > The IETF has an obligation to "truth in advertising" so IMHO we should not > > claim protection that doesn't exist, even implicitly. > > > > Brian > > > > ___ > > Ietf mailing list > > Ietf@ietf.org > > https://www1.ietf.org/mailman/listinfo/ietf > > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf > ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Hi Darrly, > >> > >> It appears that the NEA charter is completely misleading to some > >> people from what is stated in this email. As the NEA > charter alludes > >> to, NEA does nothing to protect against compromised > devices. Also, as > >> has been agreed, NEA is not a protection mechanism for the > network - > >> it is meant to be a protection mechanism for compliant, > truthful and > >> as yet uncompromised end hosts against known vulnerabilities. > > True the NEA doesn't "do" anything to protect against > compromised devices but it does assist in limiting the known > compromises on endpoint devices by being a mechanism for the > checking and reporting on compliance to what ever network > policy is in place including virus and patch levels. I'm not sure what you mean by "known compromises" - did you mean known vulnerabilities? If so, yes - I was not questioning the role of NEA in dealing with known vulnerabilities on truthful endpoints. The discussion was about using NEA as a protection mechanism for the network and that doesn't make sense to me and as I understand from Susan, that is not the intention of the charter either. > As a > network administrator I already deploy mechanisms for doing > just this, but at a higher level than the NEA charter > indicates. To me the difference is between being reactive or > proactive. Compliance testing I already run occurs after an > end node has joined the network, with NEA the possibility is > for compliance checking before being allowed onto the network > so isolation and immediate remediation is possible. > > >> Any network, in its own best interests, must assume that > it has lying > >> and compromised endpoints connecting to it and that there > are unknown > >> vulnerabilities on any NEA-compliant devices connecting to it. Any > >> kind of protection that addresses these general threats that the > >> network may be exposed to at any time will simply obviate the need > >> for NEA from the network perspective. > > Reliance on one protection or reporting mechanism is not > enough. We need a lot of varied tools to cover all the bases > and minimise risk. > This is repitition at this point - but, when a network has mechanisms to protect itself against lying endpoints and unknown vulnerabilites, that should cover protection against truthful ones with known vulnerabilities. Otherwise, the network is obviously not adequately protected against the broader set of threats. So, one would employ NEA in their networks to protect the end hosts attaching to the network, not the network itself. > >> A network operator that thinks the network is getting any > protection > >> by employing NEA is clearly ignoring the obvious real threats that > >> the network is exposed to at any time. > > No, NEA would just be one more tool used to improve overall > security and minimise risk. It would be at a different level > to the tools some of already deploy. > > >> This is what I meant when I said that the charter is > unclear and it > >> must explicitly state that NEA is not meant as a > protection mechanism > >> of any sort for the network. > > I don't believe the Charter needs to delve into this at all. > If some people see it as part of their protection mechanisms, > so be it. > That is a terrible approach to take, given how misleading the charter obviously has been to many. The charter must be clear about what the WG is doing and what is out of scope. Vidya ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Mon, Oct 09, 2006 at 09:08:42AM -0700, todd glassey wrote: > No it wasn't Brian - the WIPO IP Framework calls for a set of protections > for Industrial Designs which ALL of the work that happens here is controlled > by right? I suppose you might consider ALL IETF work as protected or threatened by WIPO Inustrial Designs [1] treaties if you first accept that "ALL" IETF work is ornamental. But of course, the joke isn't funny if you have to explain it. [1] http://www.wipo.int/designs/en/designs.html -- ISC Training! October 16-20, 2006, in the San Francisco Bay Area, covering topics from DNS to DDNS & DHCP. Email [EMAIL PROTECTED] -- David W. Hankins"If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins pgpDD8XpWGVLf.pgp Description: PGP signature ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Hi Susan, > -Original Message- > From: Susan Thomson (sethomso) [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 08, 2006 3:27 PM > To: Narayanan, Vidya > Cc: [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org > Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) > > > Hi Vidya > > Inline ... > > > > > > How about adding this text - "It should be noted that the > networks at > > large are exposed to attacks from lying endpoints and external > > entities attaching to the networks as well as any problems arising > > from unknown vulnerabilities on NEA compliant endpoints. Hence, NEA > > must not be considered a protection mechanism for networks. > Further, > > mechanisms needed to protect the network from all kinds of > > vulnerabilities are expected to be a superset of any > protection that > > may be achieved by employing NEA"? > > > > It seems to me that this better belongs in a security > considerations section of the NEA spec, especially given > where we are in the review cycle and the amount of time spent > on this specific section already. > No, this text definitely needs to be on the charter. From the number of discussions even at this stage, it is clear that the charter lacks the clarity in this space. This is not text about a particular draft in NEA - it is about the scope of the WG. > > That is not necessarily putting any requirements in the > choice of the > > mandatory to implement protocol itself, as I see it. I believe that > > stating something like "The mandatory to implement PT > protocol must be > > generic enough to allow the execution of the NEA procedure without > > forcing the need to re-execute network access procedures". > > > > I think protocol requirements belong in the requirements I-D. > The charter text elsewhere does get into performing NEA procedures at network access. Perhaps that could be removed from the charter too? If the charter only specified that the PT protocol was out of scope and left out any text about the timing of execution of the PT protcol w.r.t. network access, that would be fine. > > > Not only do I not see anything in the charter or milestones that > > indicates that the WG is going to spend time exploring this, I > > strongly believe this WG should not be spending any time looking at > > this. The trust models for the cases where the devices are > not owned > > by the organization performing NEA are hugely different and > can take > > up its own WG to actually find something that applies there, if at > > all. For one, this could be considered a violation of > privacy by the > > user of the device. Secondly, the end user's perspective of attacks > > may be entirely different from the organization's > perspective in this > > case. Third, I simply can't see what the organization's interests > > would be in protecting a device that doesn't even belong to > it. Last > > but not the least, this requires the endpoint to be running an NEA > > client (that is interoperable with the NEA server of the > organization) > > - which in itself is often an unrealistic requirement. > > > > Organizations that provide services in their networks to > end users are > > worried about protecting their resources (i.e., networks, servers, > > etc.). As we have agreed, NEA does not protect such > resources anyway. > > Plus, there is absolutely no reason such organizations > should believe > > that devices they don't own are in fact, truthful endpoints. > > > > So, thinking that this WG must be looking into resolving this seems > > flawed at several levels. In the interest of having a > focused WG that > > can get something useful accomplished, this does not make sense. > > > No argument with your gist here. The point I was trying to > make is that I think applicability may not be quite as "black > and white" as your original text suggests, and it would be > better if the applicability and security considerations > associated with NEA be addressed in the WG and specified in > the appropriate NEA documents. > This again is not necessarily a document-specific issue. It applies in general to anything that will be produced by this WG. > The charter could express itself better in this regard. If > the last sentence was replaced with something like: "NEA can > be limited in its applicability when the endpoint and the > organization providing network access are owned by different > parties. NEA applicability and security considerations will > be described in the appropriate NEA documents." > Would this work? > Why would the charter not be limited to producing solutions that may be relevant to the case where the organization owns the end devices? As long as we agree that NEA is not intending to protect the network and is only meant to protect endpoints, keeping the scope to this would allow for more focussed and useful work. To that effect, here is some modified text: "NEA can be
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Mon, Oct 09, 2006 at 09:08:42AM -0700, todd glassey wrote: > No it wasn't Brian - the WIPO IP Framework calls for a set of protections > for Industrial Designs which ALL of the work that happens here is controlled > by right? Otherwise, do you formally want to make a declaration as the > IETF's Chair that the IETF and the ISOC are immune from Global IP Law and > can pretty much do anything they want. Todd, According to the WIPO web site: "The World Intellectual Property Organization (WIPO) is a specialized agency of the United Nations. It is dedicated to developing a balanced and accessible international intellectual property (IP) system, which rewards creativity, stimulates innovation and contributes to economic development while safeguarding the public interest." What the WIPO might or might not call for might perhaps be of interest to various national legislative bodies, but it is completely out of scope for the IETF list. Regards, - Ted IETF Sergeant-at-Arms ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Wednesday, October 04, 2006 02:31:36 PM -0700 todd glassey <[EMAIL PROTECTED]> wrote: Vidya good commentary, maybe I can add some more. The NEA, per the charter-need's justification statement says: Network Endpoint Assessment (NEA) architectures have been implemented in the industry to assess the "posture" of endpoint devices Ah two new terms of Art - "Posture" and "Devices". I only see one. I believe "device" is a fairly well-understood term, though perhaps "node" would have been more appropriate in this context. However, I completely agree that this proposed charter uses the term "posture" far too often not to define it. I fail to see how whether my computer is sitting upright or lying on its side is relevant to whether it should be allowed access to the network. -- Jeff ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
No you are wrong Ted, and its pretty funny too. As it happens you are incorrect for saying that this is inappropriate for the IETF's lists. You need to dig farther into the WIPO Site and find all the State Signatures to the Treaties - its them that the IETF is bound by whether it likes it or not. Since the countries through with the IETF's actions operate including the meetings, are all signatories to the WIPO Treaties you are exactly stuck with them. Todd Glassey - Original Message - From: "Theodore Tso" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]> Cc: "Brian E Carpenter" <[EMAIL PROTECTED]>; ; <[EMAIL PROTECTED]> Sent: Monday, October 09, 2006 12:09 PM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > On Mon, Oct 09, 2006 at 09:08:42AM -0700, todd glassey wrote: > > No it wasn't Brian - the WIPO IP Framework calls for a set of protections > > for Industrial Designs which ALL of the work that happens here is controlled > > by right? Otherwise, do you formally want to make a declaration as the > > IETF's Chair that the IETF and the ISOC are immune from Global IP Law and > > can pretty much do anything they want. > > Todd, > > According to the WIPO web site: > > "The World Intellectual Property Organization (WIPO) is a > specialized agency of the United Nations. It is dedicated to > developing a balanced and accessible international intellectual > property (IP) system, which rewards creativity, stimulates innovation > and contributes to economic development while safeguarding the public > interest." > > What the WIPO might or might not call for might perhaps be of interest > to various national legislative bodies, but it is completely out of > scope for the IETF list. > > Regards, > > - Ted > IETF Sergeant-at-Arms > ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Harald Alvestrand wrote: >> Posture checking is certainly a leaky bucket. It doesn't >> protect all kinds of endpoint, it doesn't protect the >> endpoints against all kinds of threats, and it doesn't >> protect much of anything against a smart, resourceful >> attacker who is deeply familiar with the NEA system in use >> and is interested in investing considerable resources in >> attacking or circumventing it. NEA itself may not offer any protection, it is more an informational tool from my perspective. How that information may be used could lead to some protection but that would vary with each deployment. >> But (to recycle a very old simile) the fact that I can open >> the locks of most doors with a crowbar doesn't mean that locks are >> not useful. Organizations that have deployed products that do >> something like what NEA is talking about have reported that their >> TCO is reduced. In these days of information overload I still maintain, the more information available the better it is. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Mon, Oct 09, 2006 at 01:54:51PM -0700, todd glassey wrote: > No you are wrong Ted, and its pretty funny too. As it happens you are > incorrect for saying that this is inappropriate for the IETF's lists. > > You need to dig farther into the WIPO Site and find all the State Signatures > to the Treaties - its them that the IETF is bound by whether it likes it or > not. Since the countries through with the IETF's actions operate including > the meetings, are all signatories to the WIPO Treaties you are exactly stuck > with them. I said it was inappropraite for the IETF list. If you have specific ideas as they relate to the ipr working group, feel free to be specific about specific WIPO treaties that have resulted in national legislation, and specific changes to be made to IETF's IPR policies, feel free to make them on that list, but not on the main IETF list, please. Thanks, - Ted ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
So then Ted are you formally saying that it is inappropriate to discuss IETF operations or its processes on the IETF@IETF.ORG mailing list? The problem with the IPR working group is simply that Harald kicks people off for disagreeing with him or his very limited charter. He doesn't want to hear about expanding the charter or how these other issues fit into the IPR Working Group and in doing so he is violating my and others participatory rights as well as our First Amendment rights I believe too. Todd Glassey. - Original Message - From: "Theodore Tso" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]> Cc: "Brian E Carpenter" <[EMAIL PROTECTED]>; ; <[EMAIL PROTECTED]> Sent: Monday, October 09, 2006 2:25 PM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > On Mon, Oct 09, 2006 at 01:54:51PM -0700, todd glassey wrote: > > No you are wrong Ted, and its pretty funny too. As it happens you are > > incorrect for saying that this is inappropriate for the IETF's lists. > > > > You need to dig farther into the WIPO Site and find all the State Signatures > > to the Treaties - its them that the IETF is bound by whether it likes it or > > not. Since the countries through with the IETF's actions operate including > > the meetings, are all signatories to the WIPO Treaties you are exactly stuck > > with them. > > I said it was inappropraite for the IETF list. If you have specific > ideas as they relate to the ipr working group, feel free to be > specific about specific WIPO treaties that have resulted in national > legislation, and specific changes to be made to IETF's IPR policies, > feel free to make them on that list, but not on the main IETF list, > please. > > Thanks, > > - Ted ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Jeff - - Original Message - From: "Jeffrey Hutzelman" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]>; "Narayanan, Vidya" <[EMAIL PROTECTED]>; ; Cc: <[EMAIL PROTECTED]>; "Jeffrey Hutzelman" <[EMAIL PROTECTED]> Sent: Monday, October 09, 2006 1:48 PM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > Ah two new terms of Art - "Posture" and "Devices". > > I only see one. I believe "device" is a fairly well-understood term, > though perhaps "node" would have been more appropriate in this context. > > However, I completely agree that this proposed charter uses the term > "posture" far too often not to define it. I fail to see how whether my > computer is sitting upright or lying on its side is relevant to whether it > should be allowed access to the network. > > -- Jeff OK Devices is really well defined in both a technical and legal sense per the Device based Frauds Act - the little brother of the CFAA. But in this instance I wanted to bring out the use of the misnomer "Posture" relative to a Device. The Device is what it is. The Posture is clearly a term for Operating Policy which includes change management, security/integrity proofing, and the general state-response policies that make up the controls and processes for the Entity in question. The problem we both saw was the indiscriminant use of the term Posture to define a group of policies which were specific to a number of things that the Charter was trying to lay claim to. I don't necessarily think the NEA is a bad idea - but its about auditing and so it needs to be crafted as an audit tool and use audit speak in the process IMHO. Todd Glassey ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
IETF/US General Election
Just a reminder - (and apologies to our non-US participants) For the first time ever (at least I can't remember another occurrence) the US bi-annual general elections will occur during an IETF week. If you're a US citizen and planning on voting this cycle (and not from San Diego!), don't forget to submit a request for an absentee ballot before your state's deadline. Mike ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote: > So then Ted are you formally saying that it is inappropriate to discuss IETF > operations or its processes on the IETF@IETF.ORG mailing list? If you have a specific and actionable suggestion regarding IETF direction, policy, meetings, and procedures, where there is not a more appropriate e-mail venue (such as the IPR wg list), then it is certainly, appropriate for the IETF list. Your recent postings, alas, have not met this test. > The problem with the IPR working group is simply that Harald kicks people > off for disagreeing with him or his very limited charter. He doesn't want to > hear about expanding the charter or how these other issues fit into the IPR > Working Group and in doing so he is violating my and others participatory > rights as well as our First Amendment rights I believe too. First Amendment rights only apply when the US Government restricts speech. It does not apply anywhere else. In general, you have been making various legal claims without being a lawyer, and fairly wild ones which make it very clear that you don't know what you are talking about. For what it's worth, be advised that I know of know legally enforceable "right" that you might have towards participating in any IETF forum, and certainly if you persist in sounding like someone who does not know what they are talking about, no one is required to listen to you, either --- and more and more people may in fact decide that it is wise for them to exercise their right to ignore you. Regards, - Ted ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: IETF/US General Election
You can choose permanent absentee status and vote using paper indefinitely. -Original Message- From: Michael C. StJohns [mailto:[EMAIL PROTECTED] Sent: Monday, October 09, 2006 2:43 PM To: ietf@ietf.org Subject: IETF/US General Election Just a reminder - (and apologies to our non-US participants) For the first time ever (at least I can't remember another occurrence) the US bi-annual general elections will occur during an IETF week. If you're a US citizen and planning on voting this cycle (and not from San Diego!), don't forget to submit a request for an absentee ballot before your state's deadline. Mike ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
You know Ted you crack me up. Todd Glassey - Original Message - From: "Theodore Tso" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; Sent: Monday, October 09, 2006 3:16 PM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote: > > So then Ted are you formally saying that it is inappropriate to discuss IETF > > operations or its processes on the IETF@IETF.ORG mailing list? > > If you have a specific and actionable suggestion regarding IETF > direction, policy, meetings, and procedures, where there is not a more > appropriate e-mail venue (such as the IPR wg list), then it is > certainly, appropriate for the IETF list. > > Your recent postings, alas, have not met this test. > > > The problem with the IPR working group is simply that Harald kicks people > > off for disagreeing with him or his very limited charter. He doesn't want to > > hear about expanding the charter or how these other issues fit into the IPR > > Working Group and in doing so he is violating my and others participatory > > rights as well as our First Amendment rights I believe too. > > First Amendment rights only apply when the US Government restricts > speech. It does not apply anywhere else. In general, you have been > making various legal claims without being a lawyer, and fairly wild > ones which make it very clear that you don't know what you are talking > about. For what it's worth, be advised that I know of know legally > enforceable "right" that you might have towards participating in any > IETF forum, and certainly if you persist in sounding like someone who > does not know what they are talking about, no one is required to > listen to you, either --- and more and more people may in fact decide > that it is wise for them to exercise their right to ignore you. > > Regards, > > - Ted ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: WG Review: Network Endpoint Assessment (nea)
Hi - Functionally, how would nea be different from using netconf or snmp to retrieve a system's configuration data? Describing it as a way to retrieve vendor-specific strings from a system makes it sound like a profile of netconf. Randy > From: "Ted Hardie" <[EMAIL PROTECTED]> > To: > Cc: <[EMAIL PROTECTED]> > Sent: Sunday, October 08, 2006 11:45 PM > Subject: WG Review: Network Endpoint Assessment (nea) > > I have a very basic fear that this working group is getting chartered > with a bunch of aims added by people who will not take on the > task of doing the work. After private discussion with folks > involved, my sense is that the very core of this work is a perceived > need to be able to pass opaque strings between a host and the network > prior to the host attaching. Those opaque strings are, essentially, > the vendor-specific strings currently associated with posture assessment. > The standard protocol carrying these strings would connect on the network > side to a system that has plug-ins which understand the vendor-specific > strings. > > With a charter that clarified that this was intended to assist the end > systems with vulnerabilities prior to attachment because the > network they are attaching to might be filled with danger, I > think this work would get done reasonably quickly. (As a control > mechanism to protect the network, I agree with the point made > clearly by others that this is not appropriate). > > I am less sure of the task of standardizing attributes. > > I am not sure that the number of attributes which can be standardized > will ever be high enough to be truly useful, and I am pretty sure > that all of these will be already covered by vendor-specific attributes. > Since there must be an assessor in place on the client for those few > standardized attributes to be assessed and that assessor will likely already > have these covered by vendor-specific attributes, in other words, > we seem to be standardizing redundancy. On the network attachment > side, it is possible, of course, that an offer of remediation could be made > based on just the standard attributes, but it seems far more likely that > it would be a two step process (assess standard attributes, then pass > vendor-specific attributes to vendor plug-in). Again, if the vendor's > attributes cover the standard attributes, then this is largely redundant > and may add measurable latency; it seems far more likely that > step one would simply be skipped if there were a vendor-specific string > and an available plug-in. Since there has to be an assessor, the first > seems very likely to me. If you don't have a vendor's plug-in, then > I suppose there is some chance that you will trust and act based on the > standard > attributes, but the chance of getting the right remediation seems > pretty slight in those circumstances. Especially when many vulnerabilities > are a combination of conditions, (Browser version Foo on OS patch level Bar) > that you could remediate by upgrading either one, checking for and > acting on the attributes which could be standardized seems of very, very > limited utility. > > Ted Hardie > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: IETF/US General Election
Be careful offering legal advise. I believe what you are proposing is a state issue. For example in Oregon we ONLY have mail in ballots. Other states will have varying degrees of absentee balloting - each with their own fun interpretations. Bill Moskovitz, Ram Austryjak wrote: You can choose permanent absentee status and vote using paper indefinitely. -Original Message- From: Michael C. StJohns [mailto:[EMAIL PROTECTED] Sent: Monday, October 09, 2006 2:43 PM To: ietf@ietf.org Subject: IETF/US General Election Just a reminder - (and apologies to our non-US participants) For the first time ever (at least I can't remember another occurrence) the US bi-annual general elections will occur during an IETF week. If you're a US citizen and planning on voting this cycle (and not from San Diego!), don't forget to submit a request for an absentee ballot before your state's deadline. Mike ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
