>>>>> "Klaas" == Klaas Wierenga <[email protected]> writes:
Klaas> On Oct 19, 2012, at 3:59 PM, Sam Hartman
<[email protected]> wrote:
Sam,
Klaas> The way I look at it is that you talk about two different
Klaas> types of authorisations, one where the AAA-server says "for
Klaas> the following x seconds my vouch for the fact that Sam has
Klaas> successfully authenticated and is associated with the
Klaas> following attributes" and the other where the resource owner
Klaas> decides what should happen once that assertion is not valid
Klaas> anymore. I don't believe it is the business of the AAA-server
Klaas> to say what the resource owner must do. If someone has
Klaas> configured my firewalls perfectly and now leaves for another
Klaas> company, I do want to make sure he can not mess with my
Klaas> configs anymore, but I definitely don;t want to have to redo
Klaas> all my configuration. At the same time, I can also imagine
Klaas> cases where you do want to roll back actions someone
Klaas> undertook. So all in all, this is application logic that I
Klaas> don't think we should try to specify. And indeed, for one
Klaas> particular application, like network access, it may make
Klaas> perfect sense to specify the behaviour explicitly.
+1
This is really well stated.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
