eap Mailing List: RE: Issue 189: Handling of the identity response

[Joseph Salowey (jsalowey]

> -----Original Message-----
> From: jrv [at] j.imap.itd.umich.edu 
> [mailto:jrv [at] j.imap.itd.umich.edu] On Behalf Of John Vollbrecht
> Sent: Friday, October 31, 2003 12:50 PM
> To: Joseph Salowey; eap [at] frascone.com
> Subject: RE: [eap] Issue 189: Handling of the identity response
> 
> 
> 
> 
> --On Friday, October 31, 2003 12:32 PM -0800 Joseph Salowey 
> <jsalowey [at] cisco.com> wrote:
> 
> > > > > how about
> > > > >
> > > > > When an EAP Identity Method is used, Data in the EAP-Identity 
> > > > > Response is typically provided to subsequent EAP 
> Methods.  The 
> > > > > subsequent Method MAY use this in its processing its 
> algorithm.  
> > > > > Note that the information in the
> > > > > Identity Response is primarily used for routiing following
> > > > > EAP requests and
> > > > > for selecting a method to process the request.  A method
> > > > > SHOULD NOT use
> > > > > information in the Identity response as the actual 
> Identity to be
> > > > > authenticated.
> > > > >
> > > > [Joe] I'm not sure about the last sentence. The SHOULD NOT may 
> > > > conflict with the previous MAY.  How about. "A method
> > > SHOULD provide a
> > > > method specific means for obtaining identity so it does 
> not have 
> > > > to rely upon the information in identity response.
> > > >
> > > [John] I understand your point.  I was trying to say that the 
> > > algorithm MAY use the information, otherwise why would we 
> give it to 
> > > him? However, it
> > > should not use it as the method's identity.  Note that it 
> may use the
> > > identity or identity as modified by the NAS to select which
> > > EAP method to
> > > use.  That is different than using it in the method.
> > >
> > [Joe] Isn't the method section is done before the method gets the 
> > identity?  Some existing methods may require the identity 
> that is why 
> > it should be provided to the method.  I think we want to discourage 
> > reliance on the identity response in methods moving forward.
> >
> [John] I think the Identity may be used by some methods 
> (actually I am not 
> sure this is true) which are capable of doing whatever 
> treating of the 
> method to get its meaning.  However some methods may also use 
> the identity 
> from the RADIUS User-ID to get the identity.  These are not 
> the same, as 
> the NAS may modify the EAP Identity data to support RADIUS 
> proxy routing.
> 
[Joe] A EAP method SHOULD provide a means to obtain the peer identity. A
method MAY use external indicators to determine identity, but these
should not be the only means to establish identity as these are usually
specific to certain invironments.

> I am thinking the second case [routing] is governed by a set of rules 
> agreed to by the organization of clients and NASs not covered 
> in this spec. 
> This is ok.
> 
> The first case - where the method uses the Identity Response 
> data from the 
> previous request as an identity does not seem right.  In 
> thinking about it 
> I am not sure it actually happens in any implementations [as 
> opposed to 
> selecting the method instance based on the Response Data].  

[Joe] I was under the impression that EAP-OTP required the identity.

I 
> think this is 
> what you are saying should be discouraged, and I am wondering 
> if it is 
> SHOULD or MUST not.
>
[Joe] If we can make it a MUST NOT use the identity from the identity
response that would be great. 
 
> 
> > _______________________________________________
> > eap mailing list
> > eap [at] frascone.com http://mail.frascone.com/mailman/listinfo/eap
> 
>