| Issue 189: Handling of the identity response | <– Date –> <– Thread –> |
From: Joseph Salowey (jsalowey cisco.com)
|
|
| Date: Thu, 30 Oct 2003 12:12:01 -0600 (CST) | |
Handling of the identity response Submitter name: Joe Salowey Submitter email address: jsalowey [at] cisco.com Date first submitted: 10/30/3003 Reference: http://mail.frascone.com/pipermail/public/eap/2003-October/001787.html, http://mail.frascone.com/pipermail/public/eap/2003-October/001788.html Document: RFC2284bis Comment type: 'E'ditorial Priority: '1' Should fix Section: Section 5.1 and Section 2.2 Rationale/Explanation of issue: The data in the EAP-Identity Response method is typically provided to a method for processing. There are several reasons why a method may not be able to process this identity. First the identity may not be the appropriate identity for the method chosen by the server. Second the identity may have been decorated to ensure that it is routed correctly to the appropriate EAP-Server. The recommendation is to suggest that the EAP-Identity response be used primarily for routing and method selection. EAP-Methods should provided a separate mechanism for obtaining identity and not rely upon the identity response. Many proposed methods already have a way to do this. Requested change: Modify the following text in section 2.2: "Since some EAP authentication methods may wish to access the Identity, implementations SHOULD make the Identity Request and Response accessible to authentication methods (Types 4 or greater) in addition to the Identity method. However, it is recommended that future EAP Methods not rely upon the identity received in the identity response and have a alternate way of obtaining identity. There are several reasons why a method may not be able to process this identity; the identity may not be the appropriate identity for the method chosen by the server, the identity may have been decorated to ensure that it is routed correctly to the appropriate EAP-Server, or the identity may have been truncated or obfuscated for privacy reasons. It is recommended that the identity be used primarily for routing the request to an appropriate EAP server and that the identity response be ignored by the EAP Method. The Identity Type is discussed in Section 5.1." I 'm not sure we need to add anything to section 5.1 (although I think the implementation note needs to be fixed). There may be security considerations: in order to prevent mechanisms from revealing too much information about valid users method implementations may always ignore the identity response and use the mechanism specific identity query.
-
Issue 189: Handling of the identity response Joseph Salowey, October 30 2003
-
Re: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
-
RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
- RE: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
- RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
-
RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
-
Re: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
Results generated by Tiger Technologies using MHonArc.