| RE: Issue 189: Handling of the identity response | <– Date –> <– Thread –> |
From: John Vollbrecht (jrv umich.edu)
|
|
| Date: Fri, 31 Oct 2003 14:06:59 -0600 (CST) | |
--On Friday, October 31, 2003 11:08 AM -0800 Joseph Salowey <jsalowey [at] cisco.com> wrote:
[John] I understand your point. I was trying to say that the algorithm MAY use the information, otherwise why would we give it to him? However, it should not use it as the method's identity. Note that it may use the identity or identity as modified by the NAS to select which EAP method to use. That is different than using it in the method.
> -----Original Message----- > From: jrv [at] j.imap.itd.umich.edu > [mailto:jrv [at] j.imap.itd.umich.edu] On Behalf Of John Vollbrecht > Sent: Friday, October 31, 2003 9:04 AM > To: Joseph Salowey; eap [at] frascone.com > Subject: Re: [eap] Issue 189: Handling of the identity response > > > see suggestions below - mostly edits and nits > > --On Thursday, October 30, 2003 10:11 AM -0800 Joseph Salowey > <jsalowey [at] cisco.com> wrote: > > > Handling of the identity response > > > > Submitter name: Joe Salowey > > Submitter email address: jsalowey [at] cisco.com > > Date first submitted: 10/30/3003 > > Reference: > > > http://mail.frascone.com/pipermail/public/eap/2003-October/001787.html > > , > > > http://mail.frascone.com/pipermail/public/eap/2003-October/001788.html > > Document: RFC2284bis > > Comment type: 'E'ditorial > > Priority: '1' Should fix > > Section: Section 5.1 and Section 2.2 > > Rationale/Explanation of issue: > > > > The data in the EAP-Identity Response method is typically > provided to > > a method for processing. There are several reasons why a > method may > > not be able to process this identity. First the identity > may not be > > the appropriate identity for the method chosen by the > server. Second > > the identity may have been decorated to ensure that it is routed > > correctly to the appropriate EAP-Server. > > > > The recommendation is to suggest that the EAP-Identity response be > > used primarily for routing and method selection. > EAP-Methods should > > provided a separate mechanism for obtaining identity and > not rely upon > > the identity response. Many proposed methods already have > a way to do > > this. > > > > Requested change: > > > > Modify the following text in section 2.2: > > > > "Since some EAP authentication methods may wish to access the > > Identity, implementations SHOULD make the Identity Request and > > Response accessible to authentication methods (Types 4 or > greater) in > > addition to the Identity method. However, it is recommended that > > future EAP Methods not > > > Identity Type is discussed in Section 5.1." > > > > > rely upon the identity received in the identity response and have a > > alternate way of obtaining identity. There are several > reasons why a > > method may not be able to process this identity; the > identity may the > > identity may have been decorated to ensure that it is > routed correctly > > to the appropriate EAP-Server, or the identity may have > been truncated > > or obfuscated for privacy reasons. . It is recommended that the > > identity > >> be used primarily for routing the request to an appropriate EAP > >> server; > > and that the identity response be ignored by the EAP > Method. Identity > > Type is discussed in Section 5.1." > > > > how about > > When an EAP Identity Method is used, Data in the EAP-Identity > Response is > typically provided to subsequent EAP Methods. The subsequent > Method MAY > use this in its processing its algorithm. Note that the > information in the > Identity Response is primarily used for routiing following > EAP requests and > for selecting a method to process the request. A method > SHOULD NOT use > information in the Identity response as the actual Identity to be > authenticated. > [Joe] I'm not sure about the last sentence. The SHOULD NOT may conflict with the previous MAY. How about. "A method SHOULD provide a method specific means for obtaining identity so it does not have to rely upon the information in identity response.
> The reason is that the Data in the Identity Response may not > be the appropriate identity for the method chosen by the > server: the identity > may have been decorated to ensure that it is routed correctly > by a NAS or > Proxy AAAA Server to the appropriate EAP-Server, or the > identity may have > been truncated or obfuscated for privacy reasons. It is > recommended that > the Identity Response Data be used primarily for routing the > request to an > appropriate EAP server and/or selecting an EAP method, and that the > Identity Response Data be ignored by subsequent the EAP > Method. Identity > Type is discussed in Section 5.1. >
-
Issue 189: Handling of the identity response Joseph Salowey, October 30 2003
-
Re: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
-
RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
- RE: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
- RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
- RE: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
- RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
- RE: Issue 189: Handling of the identity response John Vollbrecht, November 4 2003
-
RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
-
Re: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
Results generated by Tiger Technologies using MHonArc.