attachment
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Arial Unicode MS","sans-serif";
font-variant:normal !important;
color:#1F497D;
text-transform:none;
text-shadow:none;
text-decoration:none none;
vertical-align:baseline;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";
color:#1F497D'>Randy,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";
color:#1F497D'>Don’t confuse the explicitly vendor specific opaque “Configuration
State” value with the to be defined “Certification State”. Configuration State
is not necessarily intended to be remediated (except, perhaps, by some vendor
supplied mechanism). Certification State may, depending on its final definition,
be remediable.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";
color:#1F497D'>Joe Murdock<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";
color:#1F497D'>Sharp Labs of America<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal>Hi Dave,<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>In the proposal, I just indicated that the "value"
is a hash - it's currently 32 bytes which only allows for a 256-bit hash. If we
mandate that it should be able<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>to hold a SHA-512 as well, we'll have to double it's length.
I think just getting agreement for the existence of the attribute is the
goal, we can flex the size of the<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>field once we have consensus on the acceptance of the
attribute.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I agree with your comment about which values to include in
the hash, but from a protocol perspective, the mechanisms would work pretty
much the same way.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>Even though a vendor could allow customers to indicate which
parameters are included in the hash, the "management tool in the sky"
would have to know which<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>parameters make up the hash, on a per-device basis, in order
to potentially remediate the situation. Given this constraint, I think vendors
should supply a factory<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>default set of params that make up the hash, a set that
makes sense in the majority of cases, and allow customers to override this,
provided they "sync up" their<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>remediation infrastructure with the same info...<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Randy<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On Aug 15, 2008, at 10:31 AM, Dave Whitehead wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Randy,</span> <br>
<br>
<span style='font-family:"Helvetica","sans-serif"'>Looks good. Two
comments about Configuration State:</span> <br>
<br>
<span style='font-family:"Helvetica","sans-serif"'>1> We should
mandate the use of a cryptographically secure hash function (SHA256/512)</span>
<br>
<br>
<span style='font-family:"Helvetica","sans-serif"'>2> Vendors provide
the set of available configuration items but the customer selects which items
to include in the hash -- some they care about, some they don't.</span> <br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>David H.
Whitehead<br>
Development Engineer<br>
Lexmark International, Inc.<br>
859.825.4914<br>
davidatlexmarkdotcom</span> <br>
<br>
<o:p></o:p></p>
<table class=MsoNormalTable border=0 cellpadding=0 width="100%"
style='width:100.0%'>
<tr>
<td width="40%" valign=top style='width:40.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><b><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>Randy
Turner <<a href="mailto:rturner@amalfisystems.com">rturner@amalfisystems.com</a>></span></b><span
style='font-size:7.5pt;font-family:"Arial","sans-serif"'> </span><br>
<span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>Sent by: <a
href="mailto:owner-ids@pwg.org">owner-ids@pwg.org</a></span><o:p></o:p></p>
<p><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>08/15/08
04:02 AM</span> <o:p></o:p></p>
</td>
<td width="59%" valign=top style='width:59.0%;padding:.75pt .75pt .75pt .75pt'>
<table class=MsoNormalTable border=0 cellpadding=0 width="100%"
style='width:100.0%'>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal align=right style='text-align:right'><span
style='font-size:7.5pt;font-family:"Arial","sans-serif"'>To</span><o:p></o:p></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'><a
href="mailto:ids@pwg.org">ids@pwg.org</a></span> <o:p></o:p></p>
</td>
</tr>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal align=right style='text-align:right'><span
style='font-size:7.5pt;font-family:"Arial","sans-serif"'>cc</span><o:p></o:p></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'></td>
</tr>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal align=right style='text-align:right'><span
style='font-size:7.5pt;font-family:"Arial","sans-serif"'>Subject</span><o:p></o:p></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>IDS>
DRAFT: IETF NEA proposal</span><o:p></o:p></p>
</td>
</tr>
</table>
<p class=MsoNormal><o:p> </o:p></p>
<table class=MsoNormalTable border=0 cellpadding=0>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'></td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'></td>
</tr>
</table>
</td>
</tr>
</table>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br>
<br>
<tt><span style='font-size:10.0pt'>Hi All,</span></tt><span style='font-size:
10.0pt;font-family:"Courier New"'><br>
</span><br>
<tt><span style='font-size:10.0pt'>Please read the attached RTF and provide any
feedback you may have...</span></tt><span style='font-size:10.0pt;font-family:
"Courier New"'><br>
</span><br>
<tt><span style='font-size:10.0pt'>Please excuse the VERY simple, raw
formatting I'm using - this has to be</span></tt><span style='font-size:10.0pt;
font-family:"Courier New"'><br>
<tt>in the simplest ASCII text form possible for eventual emailing to the</tt><br>
<tt>NEA</tt><br>
<tt>mailing list.</tt><br>
</span><br>
<tt><span style='font-size:10.0pt'>For now, just concentrate on the content :)
:)</span></tt><span style='font-size:10.0pt;font-family:"Courier New"'><br>
</span><br>
<tt><span style='font-size:10.0pt'>Thanks!</span></tt><span style='font-size:
10.0pt;font-family:"Courier New"'><br>
<tt>Randy</tt><br>
</span><br>
<br>
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>[attachment
"draft-nea-proposal.rtf" deleted by Dave Whitehead/Lex/Lexmark] </span><br>
<br>
<o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>