> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Sam Hartman > Sent: Friday, November 18, 2011 7:56 PM > To: [email protected] > Subject: [abfab] GSS EAP: Acceptor Name all the time > > > Jim has requested that the acceptor always return an acceptor name token > to the client even if the client sends an expected acceptor name token to the > acceptor. The idea is that if the client sends something like smtp the > acceptor could return [email protected]. > > The advantage here is that the client gains a more complete form of the > acceptor name. > > In the meeting today I said there were no disadvantages besides a few > octets. > Turns out that's not quite true. > The client now needs to confirm that the received name is acceptable. > Implementing that is a tad tricky but certainly doable.
While it is true that the client can confirm that the received name is acceptable, I think that for the most part this could be considered to be a NOP as the name returned SHOULD be a more detailed version of the name the client sent up. That is if the client asks for "smtp" then the server MUST NOT return "[email protected]" as this would be something that would never be expected. If the client does not do the validation, then it can send its version of the name as part of the channel bindings and let the EAP server worry about the comparisons. IN that case it will be no worse than it is today. Jim > > I support this change but would like to call for comments. > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
