I really don't like the fact that the current draft says that the subject field is omitted when constructing a request.
1. It means that I cannot use my existing validating parser for this as we will no longer have schema compliant XML for the request. 2. See #1 3. I believe that one will need/want to ask questions about multiple entities involved. That is one might want to ask about both the user and the user's machine. I would propose making the following changes 1. Define a new name type that has two string values "user" and "machine". This corresponds to the current set of identity types that is defined by TEAP. This would also allow for anonymous names to be returned to the RP without any problems 2. Either define or reference a SAML name type for NAIs. I am not sure if the new and old NAIs should be done differently as there are some differences between the name matching rules. I also understand that if a proxy re-writes the identifier in the RADIUS string, this field may not be re-written as well depending on if the proxy is going to look for it. I have a small concern about pseudonymous names, at present the first time a client might see it's pseudonymous name would be when it is transmitted from the acceptor to the initiator as part of the application protocol. There is currently no provision for an IdP to send the name to the client as part of the current GSS-EAP protocol, and it is not clear to me that the client should be required to contact the IdP prior to talking to the server to setup for an anonymous name. Jim _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
