On Feb 22, 2019, at 7:47 PM, Arran Cudbard-Bell <a.cudba...@freeradius.org> wrote: > > >> In my opinion, the document MUST give guidance for implementors and site >> administrators: >> >> * if resumption is used, the implementation MUST cache sufficient >> information for the system to make appropriate policy decisions on resumption > > Maybe something about not relying on the outer identity to apply any kind of > autz policies? Administrators may assume some kind of binding between the > outer identity, the original session, and the resumed session, and assume > it'll be consistent. In reality the user can provide any outer identity they > like.
Yes. The NAI document discusses this situation: https://tools.ietf.org/html/rfc7542#section-4.2 That discussion unfortunately doesn't discuss resumption. > I know this is covered by the above point, but I feel it's worth documenting > this case explicitly. Yes. An explicit reference to the above section would help. >> * resumption MUST be rejected if no cached information is available, as we >> have no idea what policies to apply > > I'd argue if cached information is expected and non is available, resumption > MUST be rejected. For the majority of cases the security policies applied to > the different TLS based EAP methods will be identical. Yes, that has to happen, too. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu