IDS> Minutes of TCG HCWG phone call

IDS> Minutes of TCG HCWG phone call

IDS> Minutes of TCG HCWG phone call

Randy Turner rturner at amalfisystems.com
Thu Mar 19 13:22:22 EDT 2009


Hi All,

After reading Brian's (and Lee's) minutes and notes from the TCG HCWG  
call, I had the following comments ....

I would agree that conforming to the NEA specifications provides most,  
if not all, of the benefits of TNC.  I always thought that the TCG  
should not be creating protocols but instead, should be defining  
"profiles" of existing protocols for compliance with an overall  
architectural recommendation.  This is similar to what the OATH  
consortium (OpenAuthentication) has done.  The OATH consortium is a  
marketing/business/technical organization that produces IETF drafts  
for standardizing "on the wire" protocols, and the consortium drives  
adoption.   In this way, they're employing existing organizations that  
really know how to create protocol standards, and using the "paid"  
organization to drive marketing/business, and technical evangelizing.

Regarding "Client-less" devices, Microsoft has defined a set of  
behaviors in their NAP documents for how "clientless" devices are to  
be treated by the network.  It seems to be that work on "clientless"  
devices is more "policy-oriented" than "technically-oriented" and that  
"standardizing" behavior in this area may seem more site-specific, and  
difficult to mandate a "global" conformance text for how to treat  
clientless devices.  As such, I think this may be something that could  
be "recommended" but not "mandated".

Someone brought up the comment about remediation, and Steve Hanna  
commented that "relevant remediation instructions for HCDs would be  
worthwhile".
I think he's suggesting looking at a "standard" for HCDs regarding  
remediation, which is a topic that came up on an earlier conference  
call discussing a "common" NAP plugin for Microsoft's health  
assessment architecture.  No vendor on the call seemed to "leap in"  
and say we should do this.

I would urge participants in these discussions to think about Steve's  
comments regarding the value of TNC/NEA protocols for devices WITHOUT  
TPMs.  This may be a point of departure for devices that do and do not  
have a TPM, especially when/if the TCG starts defining formal  
certification processes. While a TPM may not be ABSOLUTELY required by  
the NEA/TNC specs, the "bar" may be set so high for certification  
(requirements) that a TPM, or the equivalent of a TPM, may be the only  
way to hit the bar.  It would be interesting to see if the MS-NAP  
documents discuss compliance/requirements issues with regards to  
devices that DO NOT have a TPM. For instance, over time, will devices  
that DO NOT have a TPM be lumped into the "clientless" device  
category?  Or basically, will there be a "third" category of device  
for devices that implement the TNC protocol but do not have a TPM?



Randy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2433 bytes
Desc: not available
Url : http://www.pwg.org/archives/ids/attachments/20090319/213699bc/smime.bin


More information about the Ids mailing list