Re: IDS> Minutes of TCG HCWG phone call

From: Ira McDonald (blueroofmusic@gmail.com)
Date: Thu Mar 19 2009 - 15:03:03 EDT

  • Next message: Randy Turner: "Re: IDS> Minutes of TCG HCWG phone call"

    Hi Randy,

    Thanks for the details about the PT abstraction.

    All - IETF PB-TNC *does* place specific requirements on the PT
    on page 12 of draft-ietf-nea-pb-tnc-03.txt (6 March 2009):

    3.3. Layering on PT

       PB-TNC batches are carried over protocol bindings of the PT protocol,
       which provides the interaction between a Posture Transport Client and
       a Posture Transport Server. PB-TNC counts on PT to provide a secure
       transport. In particular, PT MUST support mutual authentication of
       the Posture Transport Client and the Posture Transport Server,
       confidentiality and integrity protection for PB-TNC batches, and
       protection against replay attacks. PB-TNC is unaware of the
       underlying transport protocols being used. PB-TNC operates directly
       on PT; no further layer of PB-TNC is expected.

    Randy - I don't care whether TCG ever answers the mandatory-to-implement
    specific PT question - but the IETF NEA WG *MUST* do so in order to fulfill
    their charter - there's nothing in their charter about abstract will do.

    Cheers,
    - Ira

    Ira McDonald (Musician / Software Architect)
    Chair - Linux Foundation Open Printing WG
    Blue Roof Music/High North Inc
    email: blueroofmusic@gmail.com
    winter:
      579 Park Place Saline, MI 48176
      734-944-0094
    summer:
      PO Box 221 Grand Marais, MI 49839
      906-494-2434

    On Thu, Mar 19, 2009 at 2:16 PM, Randy Turner <rturner@amalfisystems.com> wrote:
    > Hi Ira,
    >
    > The PT protocol was, from the outset, meant to be an abstraction, but it
    > relates to the IF-T interface in the TCG TNC specs.
    >
    > It's complicated, but the PT protocol is not one transport, but whatever
    > "bootstrap" protocol is "in vogue" in the network community at any point in
    > time, so it's intentionally left as an abstraction since it's difficult to
    > choose and subsequently standardize "one" transport.
    >
    > The TCG TNC group has published "binding" documents for tunneling TNC in
    > EAP, and I believe Microsoft has published a way to deliver attributes with
    > DHCP.
    >
    > There may be other "layer 2.5" mechanisms produced in the future, which will
    > naturally call for new binding documents, but the PA/PB protocols will only
    > make "requirements" on these protocols and the core model (PB/PA) shouldn't
    > have to change. Because of the sensitive nature of information in the PB/PA
    > traffic, the major requirements would be integrity and some type of
    > authentication, preferably mutual, but definitely client auth.
    >
    > I personally think the tunneled EAP method (see IF-T) will be the most
    > widely deployed enterprise/campus technique for delivering TNC messages. You
    > can also google for EAP-TNC, which I think would bring up appropriate links.
    >
    > Randy
    >
    >
    > ----- Original Message ----- From: "Ira McDonald" <blueroofmusic@gmail.com>
    > To: "Randy Turner" <rturner@amalfisystems.com>; "Ira McDonald"
    > <blueroofmusic@gmail.com>; "Jerry Thrasher" <thrasher@lexmark.com>
    > Cc: <ids@pwg.org>
    > Sent: Thursday, March 19, 2009 10:45 AM
    > Subject: Re: IDS> Minutes of TCG HCWG phone call
    >
    >
    > Hi,
    >
    > An observation about the extent of compatibility between IETF NEA and TCG
    > TNC
    > specs.  The IETF (and presumably TCG) specs for PB-TNC (Posture Broker) and
    > PA-TNC (Posture Attributes) *punt* security completely and say that's
    > the problem
    > of the PT (Posture Transport) component.
    >
    > Although the IETF NEA charter says they will specify one 'mandatory to
    > implement'
    > transport, *nothing* in any published IETF NEA WG I-D ever does so.
    >
    > PWG IDS can't write a binding to IETF NEA, because there's no transport, no
    > authentication, no integrity, etc.  Who knows what goes 'on the wire'?
    >
    > Jerry and Randy - you guys have followed IETF NEA - is this magic
    > secure transport
    > sauce somewhere in IETF NEA WG minutes, or is it just not there to be found?
    >
    > Cheers,
    > - Ira
    >
    > Ira McDonald (Musician / Software Architect)
    > Chair - Linux Foundation Open Printing WG
    > Blue Roof Music/High North Inc
    > email: blueroofmusic@gmail.com
    > winter:
    >  579 Park Place  Saline, MI  48176
    >  734-944-0094
    > summer:
    >  PO Box 221  Grand Marais, MI 49839
    >  906-494-2434
    >
    >
    >
    > On Thu, Mar 19, 2009 at 1:22 PM, Randy Turner <rturner@amalfisystems.com>
    > wrote:
    >>
    >> Hi All,
    >>
    >> After reading Brian's (and Lee's) minutes and notes from the TCG HCWG
    >> call,
    >> I had the following comments ....
    >>
    >> I would agree that conforming to the NEA specifications provides most, if
    >> not all, of the benefits of TNC. I always thought that the TCG should not
    >> be creating protocols but instead, should be defining "profiles" of
    >> existing
    >> protocols for compliance with an overall architectural recommendation.
    >> This
    >> is similar to what the OATH consortium (OpenAuthentication) has done. The
    >> OATH consortium is a marketing/business/technical organization that
    >> produces
    >> IETF drafts for standardizing "on the wire" protocols, and the consortium
    >> drives adoption. In this way, they're employing existing organizations
    >> that really know how to create protocol standards, and using the "paid"
    >> organization to drive marketing/business, and technical evangelizing.
    >>
    >> Regarding "Client-less" devices, Microsoft has defined a set of behaviors
    >> in
    >> their NAP documents for how "clientless" devices are to be treated by the
    >> network. It seems to be that work on "clientless" devices is more
    >> "policy-oriented" than "technically-oriented" and that "standardizing"
    >> behavior in this area may seem more site-specific, and difficult to
    >> mandate
    >> a "global" conformance text for how to treat clientless devices. As such,
    >> I
    >> think this may be something that could be "recommended" but not
    >> "mandated".
    >>
    >> Someone brought up the comment about remediation, and Steve Hanna
    >> commented
    >> that "relevant remediation instructions for HCDs would be worthwhile".
    >> I think he's suggesting looking at a "standard" for HCDs regarding
    >> remediation, which is a topic that came up on an earlier conference call
    >> discussing a "common" NAP plugin for Microsoft's health assessment
    >> architecture. No vendor on the call seemed to "leap in" and say we should
    >> do this.
    >>
    >> I would urge participants in these discussions to think about Steve's
    >> comments regarding the value of TNC/NEA protocols for devices WITHOUT
    >> TPMs.
    >> This may be a point of departure for devices that do and do not have a
    >> TPM,
    >> especially when/if the TCG starts defining formal certification processes.
    >> While a TPM may not be ABSOLUTELY required by the NEA/TNC specs, the "bar"
    >> may be set so high for certification (requirements) that a TPM, or the
    >> equivalent of a TPM, may be the only way to hit the bar. It would be
    >> interesting to see if the MS-NAP documents discuss compliance/requirements
    >> issues with regards to devices that DO NOT have a TPM. For instance, over
    >> time, will devices that DO NOT have a TPM be lumped into the "clientless"
    >> device category? Or basically, will there be a "third" category of device
    >> for devices that implement the TNC protocol but do not have a TPM?
    >>
    >>
    >>
    >> Randy
    >>
    >>
    >
    >



    This archive was generated by hypermail 2.1.4 : Thu Mar 19 2009 - 15:03:10 EDT