Glen Zorn wrote:
> I don't know; what do you call it when you turn off the ringer on your phone
> (to use an example similar to the one you gave above)? The fact that you
> don't answer the phone has nothing to do with who's calling (authentication)
> nor whether you want to talk to them (authorization).
Using that analogy: what do you call a policy that has you turning
your cell phone off when in one place, and on again in another? It's
not authentication, because you don't care who's calling. It's not
authorization, because no one is being authenticated.
> Again, since authentication is irrelevant to the policies, how are the
> policies relevant to EAP (aside from the fact that it's just so darn
> convenient)?
To use NEA as an example, the decision about whether or not to return
"success" or "fail" depends on information OTHER than strictly a
username/password check. This information is called "authentication
credentials", which can be:
1) username / password (PAP)
2) client certificate (TLS-based methods)
* issuer
* expiry
* etc.
3) machine status, etc. (NEA)
I find it curious that you're willing to accept the first two as being
acceptable for authentication, but not the third.
How do you determine that "X" is acceptable as an authentication
credential, but "Y" is not? A clear explanation of the method is most
welcome.
Your presentation so far has been "Glen says it's OK", or "Glen says
it's not OK". That isn't anything we can put into a specification.
Alan DeKok.
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
