Oh Brian!

Having been involved in much of the early work around developing Network Admission Control (NAC) I realized that the weakest link is the endpoint. Time after time the objection was raised; "but what if they hack the endpoint". Everyone in the NAC world tries to respond to this the same way - by pointing out that there are already many different ways of protecting the endpoint such as anti virus, anti phishing, anti spyware, and personal firewalls.

The folks at the Mozilla took this a step further in Firefox v3 by adding additional controls in the browser. I was a little concerned when I first read about these controls because they seems to be "list" based (a white list and a black list) and seemed to point exclusively back at Google to source those lists. I like Google a lot but going there alone for this data is too much like Microsoft asking everyone to trust them for security.

What's needed here is a protocol that allows the browser to be configured to retrieve these lists securely from a trusted source. I had hoped that the IETF Network Endpoint Assessment working group would eventually get here (I now doubt that will ever happen). I saw this article on SecurityFocus and it seems to be saying the right things but doesn't define that protocol (yet).