| RE: Issue 189: Handling of the identity response | <– Date –> <– Thread –> |
From: Joseph Salowey (jsalowey cisco.com)
|
|
| Date: Fri, 31 Oct 2003 13:08:43 -0600 (CST) | |
> -----Original Message----- > From: jrv [at] j.imap.itd.umich.edu > [mailto:jrv [at] j.imap.itd.umich.edu] On Behalf Of John Vollbrecht > Sent: Friday, October 31, 2003 9:04 AM > To: Joseph Salowey; eap [at] frascone.com > Subject: Re: [eap] Issue 189: Handling of the identity response > > > see suggestions below - mostly edits and nits > > --On Thursday, October 30, 2003 10:11 AM -0800 Joseph Salowey > <jsalowey [at] cisco.com> wrote: > > > Handling of the identity response > > > > Submitter name: Joe Salowey > > Submitter email address: jsalowey [at] cisco.com > > Date first submitted: 10/30/3003 > > Reference: > > > http://mail.frascone.com/pipermail/public/eap/2003-October/001787.html > > , > > > http://mail.frascone.com/pipermail/public/eap/2003-October/001788.html > > Document: RFC2284bis > > Comment type: 'E'ditorial > > Priority: '1' Should fix > > Section: Section 5.1 and Section 2.2 > > Rationale/Explanation of issue: > > > > The data in the EAP-Identity Response method is typically > provided to > > a method for processing. There are several reasons why a > method may > > not be able to process this identity. First the identity > may not be > > the appropriate identity for the method chosen by the > server. Second > > the identity may have been decorated to ensure that it is routed > > correctly to the appropriate EAP-Server. > > > > The recommendation is to suggest that the EAP-Identity response be > > used primarily for routing and method selection. > EAP-Methods should > > provided a separate mechanism for obtaining identity and > not rely upon > > the identity response. Many proposed methods already have > a way to do > > this. > > > > Requested change: > > > > Modify the following text in section 2.2: > > > > "Since some EAP authentication methods may wish to access the > > Identity, implementations SHOULD make the Identity Request and > > Response accessible to authentication methods (Types 4 or > greater) in > > addition to the Identity method. However, it is recommended that > > future EAP Methods not > > > Identity Type is discussed in Section 5.1." > > > > > rely upon the identity received in the identity response and have a > > alternate way of obtaining identity. There are several > reasons why a > > method may not be able to process this identity; the > identity may the > > identity may have been decorated to ensure that it is > routed correctly > > to the appropriate EAP-Server, or the identity may have > been truncated > > or obfuscated for privacy reasons. . It is recommended that the > > identity > >> be used primarily for routing the request to an appropriate EAP > >> server; > > and that the identity response be ignored by the EAP > Method. Identity > > Type is discussed in Section 5.1." > > > > how about > > When an EAP Identity Method is used, Data in the EAP-Identity > Response is > typically provided to subsequent EAP Methods. The subsequent > Method MAY > use this in its processing its algorithm. Note that the > information in the > Identity Response is primarily used for routiing following > EAP requests and > for selecting a method to process the request. A method > SHOULD NOT use > information in the Identity response as the actual Identity to be > authenticated. > [Joe] I'm not sure about the last sentence. The SHOULD NOT may conflict with the previous MAY. How about. "A method SHOULD provide a method specific means for obtaining identity so it does not have to rely upon the information in identity response. > The reason is that the Data in the Identity Response may not > be the appropriate identity for the method chosen by the > server: the identity > may have been decorated to ensure that it is routed correctly > by a NAS or > Proxy AAAA Server to the appropriate EAP-Server, or the > identity may have > been truncated or obfuscated for privacy reasons. It is > recommended that > the Identity Response Data be used primarily for routing the > request to an > appropriate EAP server and/or selecting an EAP method, and that the > Identity Response Data be ignored by subsequent the EAP > Method. Identity > Type is discussed in Section 5.1. >
-
Issue 189: Handling of the identity response Joseph Salowey, October 30 2003
-
Re: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
- RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
- RE: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
- RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
- RE: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
- RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
-
Re: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
Results generated by Tiger Technologies using MHonArc.