>>>>> "Josh" == Josh Howlett <[email protected]> writes:
>> First, how should we handle cases where the protected result disagrees
>> with the failure/success message?
Josh> It was my understanding that the protected response is authoritative,
and
Josh> the unprotected response is ignored. Alan?
>> Secondly, we should wait for the failure/success message before deciding
>> whether the context is established or not?
Josh> Hmm, isn't the context establishment ultimately dependent on receipt
of
Josh> the MSK? The protected response is within the tunnel, the MSK is
outside
Josh> the tunnel.
What is this tunnel of which you speak? At this layer, both passthrough
authenticators and tunnel methods are somewhat invisible to us. That's
absolutely true on the initiator. On the acceptor, it's more complex; we
want to write guidance that works with a full or passthrough
authenticator.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
