> I'd like to ask some questions: > > 1) Are we willing to tightly control what extension tokens their are? > I.E. do we think standards action or IETF review are appropriate registration > policies for extensions? > > 2) What extensions needing MICs have we identified? > Is the mutual flag the only one? > We'd presumably also need protection of removed extensions; we could > MIC a list of token types sent.
Some type of extension that allows for validation of external negotiation (i.e. what I send to the RP before setting up the gss-eap session)? > > --Sam > > 3) It's my belief that if we protect against removed extension tokens, we can > add a conversation level finish message later if we wish. If we chose to do so > in a backward compatible way, then we would not be able to have a hash > function identifier in the OID. > We could have a hash function in the extension token identifier though. > Can I get people who understand the technical details in sufficient detail to > sanity check me here and confirm that we could add conversation-level > protection later if we chose? > > Thanks, > > --Sam > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
