Section 4:
I thought we were going to make RADIUS over TLS a MUST not a SHOULD.
Current text says recommended.
Section 6.3.3:
I would like to state for the record that I believe interlinking the
SAML and EAP authentications to permit the SAML request to affect things
like TLS resumption and authentication freshness is problematic and
will lead to implementation failures (or simply be ignored).
I would prefer we not take that approach. However the sense of the room
was against me when this was last discussed.
I do think an explicit consensus call by chairs if we have not already
made such a call would be valuable. I expect that it's likely I'm in
the rough.
Section 6.4.3:
o Assume that the Client's identifier implied by a SAML <Subject>
element, if present, takes precedence over an identifier
implied
by the RADIUS User-Name attribute.
*what*?! This flies in the face of 4.3.1.
This draft still does not provide a mechanism to meet the conditions
specified in section 4.3.2. In particular, we don't describe how to
embed AAA names in requests, responses or metadata.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
