Hi, Alex.
With my draft-ietf-abfab-aaa-saml hat on, I have a problem with one of
the proposed changes:
* Fragmentation can only occur after authentication. Clients wanting to send
large amounts of data can signal this situation on the first
Access-Request, but the exchange will happen after authentication is
completed for security reasons.
Unfortunately some of the use cases for SAML involve looking at the SAML
request to determine what authentication would be acceptable. As an
example, we need to look at the LOA to determine what EAP methods are
acceptable.
As such, we do actually need to be able to send things like SAML
requests prior to authentication.
So, I'd like to better understand the reasons for this change.
If it's DOS concerns, I would prefer to revert the change and simply
note the concern in security considerations.
Also, from a DOS standpoint, since the entity being authenticated is the
user, not the NAS, I'd like to understand how you're better off from a
DOS standpoint after authentication.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
