>>>>> "Stefan" == Stefan Winter <[email protected]> writes:
Stefan> Hi,
>> I'm confused by your message because I don't understand how PCP
>> can make the decision without understanding the EAP requirements.
>>
>> If EAP is going to make requirements of PCP, then either PCP
>> needs to meet those requirements or not use EAP. so, I think we
>> need to understand the general requirements to understand what
>> our options are in PCP.
Stefan> EAP does not make requirements for PCP in this case; the
Stefan> question is left open in the RFC.
Stefan> That is highly understandable, IMHO, because EAP is the
Stefan> Extensible Authentication protocol; *authorisation* lifetime
Stefan> is not something that's naturally covered.
Right. And I'm asking to point out that this is not covered in the
applicability statement.
I think Klaas does a great job of explaining the situation and I'd like
to work on adapting his message for text.
>> So, would you be willing to explain why you believe PCP should
>> decide on its requirements first and how you see that interacting
>> with a later general discussion?
Stefan> You described two courses of action: PCP can either make
Stefan> applications decide on the authorization lifetime on their
Stefan> own, or it can request that this lifetime information is
Stefan> derived from EAP.
Thanks for helping explain.
I now understand my confusion and believe it was because I was unclear
in my message.
In my mind PCP was the application.
I was arguing that here in ABFAB we have two courses of action:
1) Say that applications need to figure out authorization lifetime on
their own.
I favor this.
2) Say that as part of making EAP applicable to application
authentication, we make requirements for all applications using EAP on
authorization lifetime.
I prefer the first option.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
