On Feb 22, 2016, at 10:02 AM, Robert Drake <[email protected]> wrote: > That seems like something you need to worry about no matter what the protocol > is or where it originally came from. If a company wants to torpedo the > standards process then they've always got lawyers. It doesn't matter how > silly their claim is, they can tie it up in lawsuits for years.
True. > The flip side to this is, if the IETF drags out this fight for too long, I > could see major vendors making their own efforts to secure the protocol prior > to anyone making a standard (possibly because a large customer demands the > protocol be secured for whatever reason). If that happens, we might be stuck > with TACACS+TLS from one vendor that doesn't interoperate with > TACACS+blowfish from another (hopefully all with the ability to fallback to > the defacto standard if needed.. or perhaps we just run 3 separate servers > with different extensions to support multiple vendors..) > > Maybe not. It's been 20 years. It's possible it's just too obscure to worry > about, but we won't know until it happens. I think since TACACS+ has waited 20+ years for standardization, it's worth waiting a few more months to be sure we get it right. And since TACACS+ is largely used *within* the enterprise, the issue of securing it is less relevant than (say) RADIUS, which is used across the wider internet. Alan DeKok. _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
