I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
Please wait for direction from your document shepherd or AD before posting a new version of the draft. Document: draft-ietf-radext-radsec-11 Reviewer: Peter McCann Review Date: 2012-01-30 IETF LC End Date: IESG Telechat date: 2012-02-02 Summary: 2 minor issues Major issues: none Minor issues: Section 2.4: In TLS-X.509 with PKI infrastructure, a client is uniquely identified by the serial number of the tuple (presented client certificate;Issuer). SHOULD BE: In TLS-X.509 with PKI infrastructure, a client is uniquely identified by the tuple (serial number of presented client certificate;Issuer). Because RADIUS supports the Disconnect Request (server-to-client) message, it seems that there is some requirement to keep the TLS session open for the duration of the access that was authorized. Otherwise, the server would not be able to send such a packet to the client without initiating its own TLS connection which may not be possible or desirable. Is this aspect of the specification inherited from the referenced TCP specification? It may be helpful to add a paragraph about this issue. Nits/editorial comments: Section 2.3: x.y.z Did you mean to fill in a real section number here? Note Section 3.4 (1) ) Missing open paren? _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
