Hi, > I'm confused by your message because I don't understand how PCP can make > the decision without understanding the EAP requirements. > > If EAP is going to make requirements of PCP, then either PCP needs to > meet those requirements or not use EAP. > so, I think we need to understand the general requirements to understand > what our options are in PCP.
EAP does not make requirements for PCP in this case; the question is left open in the RFC. That is highly understandable, IMHO, because EAP is the Extensible Authentication protocol; *authorisation* lifetime is not something that's naturally covered. > So, would you be willing to explain why you believe PCP should decide on > its requirements first and how you see that interacting with a later > general discussion? You described two courses of action: PCP can either make applications decide on the authorization lifetime on their own, or it can request that this lifetime information is derived from EAP. We agree that the question which course to take is PCP's decision alone. The text in the EAP RFC seems to allow for both; there is lifetime information that can either be made use of, or can be ignored. Given that the information is meant for authentication, it may not be the best idea to overload it and use it for authorisation information; but since signalling authorisation is out of scope for EAP, that doesn't necessarily need to be included in EAP applicability text. One could argue that the EAP Applicability Statement is actually quite clear: it doesn't mention the word authorization. So, probably, whichever of the two courses the PCP wg might favour, chances are good that none of the two require changes to the applicability statement. If the wg thinks that they need a specific use of EAP and they are unsure whether their specific need is covered or not, they can try to sort that out at that point. I would worry about clarifying wording when that has happened. If your intent was to add a "non-applicability" statement like: EAP doesn't care about your authorisation lifetime, then yes, such a statement could be made, but isn't it implicit that everything that is not mentioned as being applicable is not applicable? EAP also doesn't do accounting nor coffee; maybe that needs to be stated, too. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
