Hi,
This is a desirable property IMHO. It's not unusual for directories to
employ policies that limit the use of credentials if they are about to
expire. If you can't log on to the network to change your credentials so
that you can log onto the network, you have a chicken-and-egg situation.
{EAP-}MSCHAP allows this, of course, so perhaps it doesn't need to be a
property of the outer-method providing that the outer-method doesn't
preclude the option.
The section in question states that the (outer) tunnel method SHOULD
provide support for it. Your reasoning is perfectly fine for MS-CHAP in
the *inner* auth. The outer method is not supposed to interfere with the
inner method's proceeding and doesn't need to provide any special support.
The property of being able to change passwords within the payload of the
tunnel method is already expressed in section 4.5.4 when it comes to
dealing with legacy password databases in the inner auth (where it
belongs, IMHO). I'd suggest to either mention it only in there, or to
make sure in 3.1 that any such management operation is not the tunnel
method's "business".
TLS is not itself a CPU intensive protocol, although some of the cipher
suites are.
Point taken. That does not make the para in the document much more
useful though IMHO.
Greetings,
Stefan
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
