>>>>> "Nico" == Nico Williams <[email protected]> writes:
Nico> On Sun, Oct 30, 2011 at 6:20 PM, Sam Hartman
Nico> <[email protected]> wrote:
>>>>>>> "Jim" == Jim Schaad <[email protected]> writes:
>> Â Â Jim> Section 4 - does/should the application get
>> any control ovret   Jim> the set of allowable EAP
>> methods to be used or is that purely a   Jim>
>> fucntion of your GSS-API library
>>
>> Currently no mechanism is provided for an application to
>> enfluence this. A mechanism probably should have system-level
>> policy configuration. A mechanism could expose a credential
>> option on the initiator. If we ever need to standardize a
>> credential option we can, but I don't see a need for that now.
Nico> I think Luke suggested using the SPNEGO
Nico> gss_get/set_neg_mechs() functions for this. I.e., you could
Nico> treat GSS-EAP as a mechanism-negotiation mechanism, sort of.
Luke suggested that you could include the EAP type in the OID.
I explained that's all sorts of wrong and pointed you to the existing
text discussing multi-layer negotiation.
To recap, EAP method is much more like kerberos preauth mechanism: a
matter that depends on the identity.
The acceptor doesn't really know what method is being used.
I mean it knows the outer method, but that will probably be something
like TTLS.
The acceptor is not in a position to construct the set of OIDs offered
if the EAP method is included, because the set of EAP methods supported
depends on the initiator identity.
We've discussed this issue going back as far as my initial feasibility
analysis. I realize that was not a consensus document, but I think it's
fair to ask you to go back and read that document's discussion of this
issue and the current text before jumping into the discussion.
Nico> I don't see configuration as being satisfactory for this in
Nico> the long-term.
I do, because it's a property of the identity. I think acceptors will
sometimes want to know information about LOA of authentication and will
sometimes deny authorization based on that. However, in most cases, an
initiator application has no business mandating an EAP method, and in
most cases an acceptor couldn't even if it wanted to.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
