El 19/02/15 a las 10:16, Klaas Wierenga (kwiereng) escribió:
On 19 Feb 2015, at 09:56, Leif Johansson <[email protected]> wrote:
On 02/19/2015 09:00 AM, Alejandro Perez Mendez wrote:
Hi Sam,
thanks for the review. See my comments below.
El 17/02/15 a las 23:49, Sam Hartman escribió:
Section 4:
I thought we were going to make RADIUS over TLS a MUST not a SHOULD.
Current text says recommended.
Whereas version -09 stated once (in section 5.2) that the use of TLS was
REQUIRED, along the rest of text it indicated several times this support
as RECOMMENDED (sections 7.4.5, 8.3.2, and 10). I just homogenized them
to the prevailing one.
Nevertheless, I think that making TLS a MUST might be limiting. There
might be some use case scenarios for this profile where using TLS is not
actually required (e.g. other security mechanisms apply). I would see
that kind of requirement more for the ABFAB architecture level than for
this I-D level. Moreover, in the saml-profiles-2.0-os document, the use
of TLS is indicated as RECOMMENDED.
Speaking as an individual I don't think there are any sane reasons not
to use TLS if you relax the requirements on credentials administration
(eg run oportunistic TLS). Having said that I think probably RECOMMENDED
is strong enough anyway.
speaking as another individual, you could go the route that other drafts have
taken and say something like:
TLS is REQUIRED unless alternative methods are used to ensure confidentiality
like IPSEC tunnels or a sufficiently secure internal network.
That text sounds quite reasonable to me. I was also thinking in
including DTLS as an alternative.
Regards,
Alejandro
Klaas
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
