I have a few comments on re-authentication text. Please see below.
(2013/01/19 4:45), Sam Hartman wrote:
Proposed text: EAP lower layers MAY provide a mechanism for re-authentication to happen within an existing session [RFC 3748]. Diameter standardizes a mechanism fro an AAA server to request re-authentication [RFC 4005]. Re-authentication permits security associations to be updated without establishing a new session. For network access, this can be important because interrupting network access can disrupt connections and media. Some applications might not need re-authentication support. For example
I suggest: s/Some applications/Some EAP lower layers/.
if sessions are relatively short-lived or if sessions can be replaced without significant disruption, re-authentication might not provide value. Protocols like HypertextTransport Protocol (HTTP) and Simple Mail Transport Protocol (SMTP) are examples of protocols where establishing a new connection to update security associations is likely to be sufficient.
Does HTTP support GSS-API? If not, I suggest to remove HTTP from the text as we are discussing EAP re-authentication. We should also add text to mention that SMTP with GSS-EAP is considered as EAP lower-layer.
Yoshihiro Ohba
Re-authentication is likely to be valuable if sessions or connections are long-lived or if there is a significant cost to disrupting them. Another factor may make re-authentication important. Some protocols only permit one side of a connection (for example the client) to establish a new connection. If another party in the protocol MAY need the security association refreshed then re-authentication can provide a mechanism to do so. Lower layers SHOULD describe whether re-authentication is provided and which parties can initiate it. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
