Re: [core] Conclusion -- Endpoint Client Name / Endpoint Name in RD draft

Hi Hannes,

Hannes Tschofenig schreef op 2018-05-07 15:50:
> Hi all,
> 
> I hope that all the discussion around the endpoint name / endpoint
> client name have helped to make you think about the security
> implications of sending an unauthenticated identifier.

To summarize what I understand.
A token provided by the authorization server (AS) contains the 
authenticated endpoint value (eventually the domain value).
This endpoint value can be provided by the AS client or is provided by 
the AS.
Provision by the AS client makes the token larger.
> 
> I would like to come to a conclusion and here is my attempt.
> 
> Since we the RD document also defines the third party provisioning I
> would suggest to make the endpoint name optional in the draft.

I probably misunderstand the meaning of optional.
What I understand from making ep optional,
is that ep is not returned in the lookup interface unless explicitly 
requested
Differentiation between registrations (endpoints) cannot be done by ep 
(,d) value, but should be done differently (how?).
> 
> I would also encourage the chairs to find out whether the third party
> provisioning is actually something in this group has gained some
> experience with.

I sent an earlier e-mail about this subject, I hope it was clear enough
> 
> Ciao

I am not clear how to go forward.
I could imagine an additional draft that specifies how to use RD with 
the AS and additional functionality needed in AS and RD.

Peter
> 
> Hannes
> 
>   IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose
> the contents to any other person, use it for any purpose, or store or
> copy the information in any medium. Thank you.
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core