[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: I-D ACTION:draft-zimmermann-avt-zrtp-03.txt
I do not know what you mean. These protocols do describe the data
objects that need to be exchanged and the processing to determine
whether authentication is successful or not. However, once the
authentication is successful, these protocols do not dictate a
particular authorization decision based on the authenticated
identity. Is that the point you are trying to make?
At 05:03 PM 3/9/2007, Richard Barnes wrote:
I think Dan address most of your points, but I did want to speak to this:
I think the key agreement proposals need to define what
authentication means and the intended result if it fails.
What authentication means:
I don't want this to degenerate into a holy war, but the role of key
management protocols is to carry information, and not to dictate its
processing. No IETF key management protocol that I know (including
IKE on the control plane and TLS on the data plane) of defines how
users should make authentication decisions, and this hasn't been a
limiting factor for deployment.
What happens when authentication fails:
The notion of the failure of a transaction is included in most
protocols, without the need for an indication of what technical or
policy reason caused the failure. Using SIP/HTTP digest
authentication, a 401 response could mean that the username didn't
exist, that the password was wrong, or that the user didn't pay his
subscription fee. Either way, the decision is made by the server,
and not defined by the protocol.