> On 19 Feb 2015, at 09:56, Leif Johansson <[email protected]> wrote: > > On 02/19/2015 09:00 AM, Alejandro Perez Mendez wrote: >> Hi Sam, >> >> thanks for the review. See my comments below. >> >> El 17/02/15 a las 23:49, Sam Hartman escribió: >>> >>> Section 4: >>> >>> I thought we were going to make RADIUS over TLS a MUST not a SHOULD. >>> Current text says recommended. >> >> Whereas version -09 stated once (in section 5.2) that the use of TLS was >> REQUIRED, along the rest of text it indicated several times this support >> as RECOMMENDED (sections 7.4.5, 8.3.2, and 10). I just homogenized them >> to the prevailing one. >> >> Nevertheless, I think that making TLS a MUST might be limiting. There >> might be some use case scenarios for this profile where using TLS is not >> actually required (e.g. other security mechanisms apply). I would see >> that kind of requirement more for the ABFAB architecture level than for >> this I-D level. Moreover, in the saml-profiles-2.0-os document, the use >> of TLS is indicated as RECOMMENDED. > > Speaking as an individual I don't think there are any sane reasons not > to use TLS if you relax the requirements on credentials administration > (eg run oportunistic TLS). Having said that I think probably RECOMMENDED > is strong enough anyway.
speaking as another individual, you could go the route that other drafts have taken and say something like: TLS is REQUIRED unless alternative methods are used to ensure confidentiality like IPSEC tunnels or a sufficiently secure internal network. Klaas _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
