As part of the plasma work, one of the things that has been stated as a requirement is that the RP can insist on a level of assurance for the client to be authenticated with. At this point in process, I don't care about the specifics of how the LOA is actually specified, but I am interested in how the data specifying this would be conveyed.
At this point I can see two different methods to convey the information: 1. The data is carried in a RADIUS attribute. Such an attribute may already exist, I have not done any type of exhaustive search, and just needs to be documented. I can see other access points wanting to require an LOA in just the straight RADIUS AAA world. 2. The data could be carried in a SAML request. As long as the IdP and the AAA Radius server are co-existent this would not be a problem. But it does mean that the SAML request now needs to be parsed for some information before the EAP processes are run in order to determine which EAP methods are acceptable to the RP. Jim _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
