see comments inline
abbie
> -----Original Message-----
> From: Eric Burger [mailto:eburger@xxxxxxxxxxxxx]
> Sent: Monday, October 21, 2002 10:35 PM
> To: OPES Group
> Subject: Authentication Requirements in opes-authorization-00
> (section 4.2)
>
>
>
> Section 4.2 states, "The service provider MUST keep a log of
> all requests for OPES services".
>
> Last I looked, the IETF is a protocol standards body, not a
> legislative body. Unless the *protocol* REQUIRES the service
> provider to keep the log, this is an unenforceable
> requirement. I agree that we need to state our sentiment. A
> better place may be in the security section.
>
-- agree.
> Likewise, "The trusted users must be authenticated before
> being allowed to take actions" is a similar policy, not
> protocol statement. The good news is "must" is not
> capitalized. However, this statement again does not belong
> in this section, and should be a SHOULD.
>
-- agree
> The next paragraph is a place where we can have protocol
> machinery: "The PEP's should be authenticated before they
> receive policy rules". If we care, then I would propose,
> "Because of the sensitivity of user profiles, the PEP
> Interface between the PEP and the PDP MUST use a secure
> transport protocol."
>
>
-- I do see the point.
-- May be we should have a section that referes to good practice, which include non-protocol related items.
abbie