Re: Fwd: I-D ACTION:draft-zimmermann-avt-zrtp-03.txt

[Russ Housley <housley@xxxxxxxxxxxx>]

Richard:

I do not know what you mean.  These protocols do describe the data 
objects that need to be exchanged and the processing to determine 
whether authentication is successful or not.  However, once the 
authentication is successful, these protocols do not dictate a 
particular authorization decision based on the authenticated 
identity.  Is that the point you are trying to make?

Russ


At 05:03 PM 3/9/2007, Richard Barnes wrote:

> Alan,
>
> I think Dan address most of your points, but I did want to speak to this:
>
> > I think the key agreement proposals need to define what 
> > authentication means and the intended result if it fails.
>
> What authentication means:
> I don't want this to degenerate into a holy war, but the role of key 
> management protocols is to carry information, and not to dictate its 
> processing.  No IETF key management protocol that I know (including 
> IKE on the control plane and TLS on the data plane) of defines how 
> users should make authentication decisions, and this hasn't been a 
> limiting factor for deployment.
>
> What happens when authentication fails:
> The notion of the failure of a transaction is included in most 
> protocols, without the need for an indication of what technical or 
> policy reason caused the failure.  Using SIP/HTTP digest 
> authentication, a 401 response could mean that the username didn't 
> exist, that the password was wrong, or that the user didn't pay his 
> subscription fee. Either way, the decision is made by the server, 
> and not defined by the protocol.
>
> Cheers,
> --Richard