Agree. We will clarify that. On 10/8/12 1:11 AM, "Jim Schaad" <i...@augustcellars.com> wrote:
> > >> -----Original Message----- >> From: Hao Zhou (hzhou) [mailto:hz...@cisco.com] >> Sent: Thursday, October 04, 2012 3:06 PM >> To: Jim Schaad; emu@ietf.org; draft-ietf-emu-eap-tunnel- >> met...@tools.ietf.org >> Subject: Re: [Emu] More COmments 2 on eap-tunnel-method >> >> Jim: >> >> Please see comments below. >> >> On 10/1/12 1:10 PM, "Jim Schaad" <i...@augustcellars.com> wrote: >> >> >I found two that I forgot to include in the last message >> > >> >1. When exporting the user-id, does there need to be a way to >> >distinguish at export time between the different types of ids that are >> >authenticated by the server? This does not seem to be an issue on the >> >peer as it will only do mutual authentication to servers and thus only >> >have server ids, however a server may authenticate to different types >> >of identities on the peer. At the moment we have identified user and >> >machines as types of entities to be identified, I suppose in the future >> >we could add Ewoks as a different type of entity that could be >> >identified. However the export function of user-ids does not make a >> >distinction between the different types of authenticated entities. >> >Should it do so or should it just export user authentications? >> [HZ] It helps to export the identities as well as the corresponding >identity >> types (from the Identity Type TLV). Will add text. >> > >> >2. Is there a map of TLVs that should not be sent together or need to >> >be processed in a specific order? The case I was looking at was for >> >the Identity TLV and the EAP TLV. Is there a difference in how a peer >> >should react for the following? >> > >> > Identity TLV (Send me a machine Identity), EAP TLV (Start the EAP >> >type >> >XX) >> > EAP TLV (Start EAP type XXX), Identity TLV (Send me a machine >> >Identity) >> > >> >Or should these two TLVs never occur in a single message? >> [HZ] We had some discussion in WG and take the design principal of TLV >> ordering should not matter. We disallow simultaneous EAP inner methods >> and/or with Basic Password Authentication, so rest of the TLVs order >should >> not matter. If it does matter, it should be a nested TLV, as in Result >>TLV >and >> Request-Action TLV. Need to add text to disallow Inner EAP method with >> parallel Basic Password Authentication TLV. > >[JLS] If order of TLVs does not matter, then there is an implied order >that >the TLVs should be processed. That is one should always process the >Identity TLV before processing the EAP TLV as the identity TLV is a hint >to >the type of identity that is to be used in the EAP method. Conversely it >might be that these two TLVs should never occur in the same message. > >Ditto with the Basic Password Authentication TLV and the Identity TLV. > >Jim > >> > >> >Jim >> > >> > >> >_______________________________________________ >> >Emu mailing list >> >Emu@ietf.org >> >https://www.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
