> BTW, this is one of the MAJOR concerns I have with the NEA working group: the > explicitly declared the integrity of the client-side piece of software "out > of scope" for their working group. This is somewhat fatal, and undermines > most of the efforts. > > At least, Cisco's solution delivers a piece of software from the server side, > so that the network admin has control over the assessment software and can be > reasonably sure it's trusted. Of course, that shifts the problems to the > client (end user), who is supposed to trust that piece of software.
With the proliferation of virtual machine technologies and CPU support for such, I do not think it would be difficult for someone to spoof the software downloaded. The "Windows Genuine Advantage" client runs on WINE. The only way to ensure client-side trustedness is a TPM or similar, and that has a whole raft of other problems, both technical and political. I think it's pretty reasonable to say: """The working group declares the problem of any turing machine being able to simulate any other turing machine as out-of-scope.""" I haven't been following the NEA so their work might be rubbish, but the untrusted client-side nature of the software does not make it intrinsically worthless - the reason being that for someone to trick out the software, they have to EXPLICITLY install and configure some other software, which is a clear AUP violation and when detected (a system asserts it is patched gets hacked) can be dealt with at the appropriate level of severity with the organisations administrative (not technical) group. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
