OK. Let me rephrase. I claim for a given message the following reactions are reasonable:
1) require signature 2) ignore any present signature and that 3) verify if present and fail if verified is unreasonable. It may be that verify if present and tell a human what verification yielded is sometimes helpful but I'm dubious. Are you arguing for 3? Or are you arguing that we should add a new security requirement to RADIUS that there are some messages that MUST be signed? _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
