Couple of points. Note that the MSK is encrypted even if you don't use RADIUS over TLS. The encryption is questionable (md5 as a stream cipher) but might randomly happen to be good enough for encrypting a randomly chosen key. for myself I'll choose to deploy with TLS rather than trusting that:-)
I don't mind removing the trust router references, but I also don't think it is problematic to leave them in. This document points out there are multiple ways of solving the trust router solves. I think it's fine to note that people are working on the trust router, one specific manifestation of the trust broker approach for managing the connection between RP and IDP. Other approaches are discussed besides the trust broker deployment pattern. So, I don't think there's a dependency creater or implied. On the other hand, I don't mind removing the reference either. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
