Valery Smyslov writes:
I don't see how this can be done without breaking existing
implementations, and therefore I am unhappy with the new sentence in
-03, "Another example is EAP authentication when the client identity in
ID payload is not used." A responder that receives a new, unknown ID
type should IMHO reject the exchange as syntactically malformed. Even
if
some reading of the documents might lead you to think that responders
should be liberal in this case, I see no benefit in breaking the
non-liberal servers by using a novel ID type here.
The text is there because the draft doesn't restrict usage of ID_NULL
to NULL AUthentication only and we were asked to provide
some examples of such usage. I agree that current implementations
won't probably tolerate the described scenario, but I also think that we
should allow ID_NULL to be used in some use cases that might be defined
in the future.
We may remove this sentence that made you unhappy and replace
it with something like:
If ID_NULL is used with other authentication methods than NULL
Authentication, then its usage must be defined in appropriate
document.
BTW, is another example of using ID_NULL in this para is
acceptable to you?
I think removing the sentence saying "Another example is EAP
authentication when the client identity in ID payload is not used."
would be good. We already have one example in previous sentence (Raw
public key) which points out why you might want to use ID_NULL with
real authentication, and we do not necessarely need second example.
And for the raw public key case, I do not think we need new document
describing how it is used with ID_NULL...
Of course we need to get the oob-pubkey draft published for that part
of text to be really useful.
I agree with Tero.
In conclusion, is the following text OK?
ID_NULL is primarily intended to be used with the NULL
Authentication, but it MAY also be used in other situations, when the
content of Identification payload does not matter. For example,
ID_NULL can be used when authentication is performed via raw public
keys and the identities are these keys themselves. If ID_NULL is
used with other authentication methods than NULL Authentication, then
the details of its usage must be defined in appropriate document.
Valery.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
