Speaking as an individual. I don't look forward to making changes to EAP identity handling now and I definitely don't look forward to implementing the code for it.
I think this is a change we can make later. I do think we'll have to make it later. This saves a round trip and throughout the IETF we've generally found that saving round trips in authentication is important. This is only a round trip when you access an application but for some important classes of application you access them very very frequently. For example for Kerberos used with HTTP we'd seen thousands of authentications a second for a single web page. (Without fast reauthentication of some kind, GSS-EAP will not be suitable for that deployment. It stretches Kerberos a lot.) So I think we'll end up supporting this long-term. I think we can add support later. I think the spec and implementation would be cleaner if we added support now. Currently the EAP identity is more of a special case than I think it will end up. Currently, we have EAP traffic both in the initial state and in the authenticate state. Also, a passthrough authenticator needs to synthesize an identity request. We could get rid of both of those if we had an identity subtoken. However we clearly don't have consensus to make the change (I'm really glad I asked). Building that consensus would take time, getting the change right and implemented would take time. I'd rather just do this in a future extension document if I'm right that we end up needing it. I think the result will be slightly more ugly, but it would be nice to get done and last call our core specs. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
