Re: [radext] #148: Review of dynamic-discovery by Jim Schaad
Stefan Winter <stefan.winter@restena.lu> Wed, 06 March 2013 12:38 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFEBE21F8867 for <radext@ietfa.amsl.com>; Wed, 6 Mar 2013 04:38:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.374
X-Spam-Level:
X-Spam-Status: No, score=-2.374 tagged_above=-999 required=5 tests=[AWL=0.225, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmxKvDPIDqWG for <radext@ietfa.amsl.com>; Wed, 6 Mar 2013 04:38:44 -0800 (PST)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id 4975721F8826 for <radext@ietf.org>; Wed, 6 Mar 2013 04:38:44 -0800 (PST)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 9EF3510A06 for <radext@ietf.org>; Wed, 6 Mar 2013 13:38:43 +0100 (CET)
Received: from [IPv6:2001:a18:1:8:cf1:29dd:507b:4405] (unknown [IPv6:2001:a18:1:8:cf1:29dd:507b:4405]) by smtprelay.restena.lu (Postfix) with ESMTPS id 8DB3510A03 for <radext@ietf.org>; Wed, 6 Mar 2013 13:38:43 +0100 (CET)
Message-ID: <513738D3.9030602@restena.lu>
Date: Wed, 06 Mar 2013 13:38:43 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130215 Thunderbird/17.0.3
MIME-Version: 1.0
To: radext@ietf.org
References: <065.a122826c6d7c009295065142646863ee@trac.tools.ietf.org> <512E23F3.3000307@restena.lu> <tslip5dn5jb.fsf@mit.edu> <512E2846.5090702@restena.lu> <tsl621dn4gq.fsf@mit.edu> <5134C626.7090408@restena.lu> <tslk3pnno2j.fsf@mit.edu>
In-Reply-To: <tslk3pnno2j.fsf@mit.edu>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="----enig2NEMPBSAMHAVCDRLDBOHQ"
X-Virus-Scanned: ClamAV
Subject: Re: [radext] #148: Review of dynamic-discovery by Jim Schaad
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2013 12:38:44 -0000
Hi, > I'm missing something here. I'm not arguing that eduroam should use > certificate validation. I'm simply arguing that there should be a MTI > certificate validation strategy. We're documenting a generic mechanism > here, not eduroam practice, right? I agree we want eduroam to comply > with the spec, but an MTI security mechanism you choose not to use in > your enviroment doesn't violate the spec. My issue is not that the MTI mechanism would not be identical to what eduroam does; far from it. My issue is that this particular mechanism is known to have scalability issues by practical experimentation. Of course we could make it MTI anyway. The consequence might well be that we require code in conforming servers that is later "never" used because its practical implications are clumsy. That would be "specifying MTI for MTI's sake" - without much real value in the real world, and code being written for no reason other than to comply with the "law". I don't really like that situation. Of course our scalability problems could be entirely homemade and not applicable to the rest of the world, and every other deployer will find the MTI mechanism as sketched perfectly fine, and the implementation code will be put to good use. Then I'd have no issues with specifying this; eduroam would simply be doing its own thing anyway. It's just that I'm not really convinced that this is the case. Greetings, Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
- [radext] #148: Review of dynamic-discovery by Jim… radext issue tracker
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jouni Korhonen
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… radext issue tracker
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… radext issue tracker