[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Updating the MIB security guidelines

To: mibs@ops.ietf.org
Subject: RE: Updating the MIB security guidelines
From: "C. M. Heard" <heard@pobox.com>
Date: Thu, 2 Jan 2003 13:42:06 -0800 (PST)
In-reply-to: <200301022004.MAA10906@dorothy.bmc.com>

On Thu, 2 Jan 2003, Randy Presuhn wrote:
> > I'm not sure it's really necessary, but if you insist, we could fix
> > this too by changing the words "encrypt the values" to "encrypt the
> > values and names" in the third setion.  It would then say:
> ...
> 
> I'd rather NOT see such a change.

That suits me.

> My concerns are from the perspective of the access control policy's
> effect on who is permitted to learn the index values.  Whether that
> policy requires encryption of the responses on the wire follows as a
> matter of course.  (For example, a security administrator shouldn't
> permit "public" to walk a table with "revealing" indexes, even if a
> privacy protocol would be in use.)

OK, but I think the already text covers that.  The readable items in a
table with "revealing" indices would be "sensitive or vulnerable"
precisely because of those indices.

If there is anything to be fixed, I think it would be this instruction:

   <list the tables and objects and state why they are sensitive>

//cmh

References:
- RE: Updating the MIB security guidelines
  - From: Randy Presuhn <rpresuhn@dorothy.bmc.com>

Prev by Date: Re: Updating the MIB security guidelines
Next by Date: Re: comments on draft-presuhn-referent-00.txt
Previous by thread: RE: Updating the MIB security guidelines
Next by thread: Re: Updating the MIB security guidelines
Index(es):
- Date
- Thread