Minutes: SALSA NetAuth call
6-Jul-06
*Attendees*
Chris Misra,
U. Massachusetts (chair)
Kevin Amorin, Harvard U.
Rich Cropp,
Penn State U.
Eric Gauthier, Boston U.
David Morton, U. Washington
Steve Olshansky, Internet2
Katherine Strojny, Internet2 (scribe)
*Action Items*
New:
The following three items refer to NetAuth
group comments on the NEA requirements document, which will
be sent to the mailing list.
[AI] {Chris} will rephrase section
7.1 as an architecture requirement.
[AI] {Kevin} will draft
a new section (5.3.2) to address requirements when EAP is not
the underlying transport.
[AI] {Eric} will draft a requirement
stating that run-once clients are allowed to be valid clients
for an NEA architecture.
Carry Over:
[AI] {Chris and Kevin}
will talk to Kevin Miller about how to link the NetAuth and
FWNA wikis in order to facilitate development of 802.1X content.
[AI] {Chris} will talk to John Vollbrecht about starting the
802.1X document.
[AI] {Group} will collaborate to draft 802.1X
deployment documents via wiki.
[AI] {Anyone} who has slides
or content related to NetAuth use cases or case studies, send
them to SteveO for posting on the NetAuth website.
*Discussion*
Intellectual Property Reminder: The Internet2 intellectual
property policy can be found here: http://members.internet2.edu/intellectualproperty.html
Discussion included the Internet2 Fall Member Meeting call for proposals, NEA status, group comments on NEA documents, progress on 802.1X deployment documents, and a review of action items. The minutes of the last call were approved. Kevin Amorin has been added to the website as a co-chair for the SALSA-NetAuth group.
Proposals are due August 31 for the Internet2 Fall Member Meeting (4-7 Dec 2006, Chicago). Chris welcomed anyone interested in making a proposal to contact him. SALSA-NetAuth will probably do a joint working meeting with FWNA.
Kevin reported on the IETF Network Endpoints Assessment (NEA) status. The NEA group is finishing up documents for submission and approval at the BoF on July 11. Feedback was requested on any of the documents, in particular the requirements. Recent discussion on the NEA list has included compromised endpoints whether anything they say can be trusted, and clientless endpoints.
The group discussed the NEA requirements document and agreed upon some changes to recommend. [AI] {Chris} will rephrase section 7.1 (regarding clientless endpoints) as an architecture requirement. [AI] Springing from section 5.3 (posture transport), {Kevin} will draft a new section (5.3.2) to address requirements when EAP is not the underlying transport, in order to address backwards compatibility with clients not speaking EAP. [AI] {Eric} will draft a requirement stating that run-once clients are allowed to be valid clients for an NEA architecture.
The question was raised of whether NEA is equivalent to NetAuth, and should we map our efforts to their terminology, or is NEA a narrow subset of the NetAuth scope? NEA falls within NetAuth scope rather than being equivalent. Any time you have an agent running on the desktop that makes a posture assessment and communicates it, you're doing network endpoint assessment. The concern was raised that NEA architecture constraints may be too restrictive; requiring a client to run on a machine at all times and disallowing run-once agents may inhibit NEA growth. This discussion engendered the agreement to recommend that run-once agents be allowed as NEA clients.
The group touched on status of 802.1X deployment documents. NetAuth 802.1X documents will be integrated with those of FWNA but the details of how this will be done are to be determined. Chris will talk to Kevin Miller about the possibility of using FWNA documents as a starting point.
Rich
reported on 802.1X at Penn State, where it was rolled out as
a trial to two buildings. Technologies include Kerberos, WPA
with TKIP, and RADIUS. Details can be found on the FWNA wiki
under 802.1X Use Cases.
https://wiki.internet2.edu/confluence/display/FWNAWG/Home
The FWNA wiki can be also found as a link from the FWNA website:
http://security.internet2.edu/fwna/
The next call is scheduled for 20-Jul-06, at the new time of 1300 Eastern Daylight Time. Kevin Amorin will chair. The time shift will hold for the remainder of the summer due to the conflict with the NEA call time. Agenda and bridge will go out to the list prior to the call