Hi,
Referring to Sec. 3.5 of http://tools.ietf.org/html/draft-ietf-emu-eaptunnel-req-03, there should be an indication to the application that is using EAP that such "strange" authentication took place. For example, the VoIP server may than make sure that only calls to 911 or 112 are allowed. Otherwise there is no way to authorize the user without some backchannel into the AAA. So I propose to add: "The tunnel method, if it supports emergency services, MUST provide an indication at the EAP or EAP-method level that such authentication took place; the indication MUST be unencrypted but integrity protected". Sec. 4.1.1 has requirements on algorithm agility. They are important, but insufficient. I propose to mention that when the tunnel method uses certificates, it MUST be possible to migrate to new algorithms for such certificates as well. (This possibly belongs in 4.2.1). 4.5.1: I suggest to mention that even in cases where passwords are *not* sent in the clear (e.g. challenge-response methods), server authentication is still a MUST. Sec. 4.5.4 mentioned "housekeeping functions". It would be useful to add some detail here. Thanks, Yaron
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
