I have been looking at what would be required to using the PLASMA concepts with ABFAB and I came up with the following issue which I think might need to be addressed, despite the fact that the general issue is going to be considered to be out of scope.
Consider the following scenario: Client talks to the service provider (for me the key service) using SOAP messages wrapped in GSS-API The service provider says - I never heard of you but you say this ID service will vouch for you. Setup the EAP connection. Client talks to the ID service using EAP wrapped in GSS-API Service provider says I need some additional information and you need to talk to ID service 2 Setup the EAP connection Client talks to ID service #2 using EAP wrapped in GSS-API .... and so forth.... While we don't want to address the problems associated with the question of dealing with the second EAP session, I think that we do need to have a discussion on the naming convention that needs to occur for the attributes of EAP session. How would we distinguish between the same attribute for each of the two different EAP sessions. Remember that they may have different attributes as the EAP methods could be separate. Also I wonder if we need to consider that the two different EAP sessions could be authenticating to the same ID service, but named differently. Jim _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
