After reading Brian's (and Lee's) minutes and notes from the TCG HCWG
call, I had the following comments ....
I would agree that conforming to the NEA specifications provides most,
if not all, of the benefits of TNC. I always thought that the TCG
should not be creating protocols but instead, should be defining
"profiles" of existing protocols for compliance with an overall
architectural recommendation. This is similar to what the OATH
consortium (OpenAuthentication) has done. The OATH consortium is a
marketing/business/technical organization that produces IETF drafts
for standardizing "on the wire" protocols, and the consortium drives
adoption. In this way, they're employing existing organizations that
really know how to create protocol standards, and using the "paid"
organization to drive marketing/business, and technical evangelizing.
Regarding "Client-less" devices, Microsoft has defined a set of
behaviors in their NAP documents for how "clientless" devices are to
be treated by the network. It seems to be that work on "clientless"
devices is more "policy-oriented" than "technically-oriented" and that
"standardizing" behavior in this area may seem more site-specific, and
difficult to mandate a "global" conformance text for how to treat
clientless devices. As such, I think this may be something that could
be "recommended" but not "mandated".
Someone brought up the comment about remediation, and Steve Hanna
commented that "relevant remediation instructions for HCDs would be
I think he's suggesting looking at a "standard" for HCDs regarding
remediation, which is a topic that came up on an earlier conference
call discussing a "common" NAP plugin for Microsoft's health
assessment architecture. No vendor on the call seemed to "leap in"
and say we should do this.
I would urge participants in these discussions to think about Steve's
comments regarding the value of TNC/NEA protocols for devices WITHOUT
TPMs. This may be a point of departure for devices that do and do not
have a TPM, especially when/if the TCG starts defining formal
certification processes. While a TPM may not be ABSOLUTELY required by
the NEA/TNC specs, the "bar" may be set so high for certification
(requirements) that a TPM, or the equivalent of a TPM, may be the only
way to hit the bar. It would be interesting to see if the MS-NAP
documents discuss compliance/requirements issues with regards to
devices that DO NOT have a TPM. For instance, over time, will devices
that DO NOT have a TPM be lumped into the "clientless" device
category? Or basically, will there be a "third" category of device
for devices that implement the TNC protocol but do not have a TPM?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2433 bytes
Desc: not available
Url : http://www.pwg.org/archives/ids/attachments/20090319/213699bc/smime.bin