> In the same spirit of keeping clarity, I'd say that Additional-Authorization > would be more correct choice, unless adding a new Service-Type would somehow > complicate adoption...
Agreed. > >> - the first Access-Accept must contain a State attribute >> for is already required for use of Authorize-Only >> >> - additional authorization attributes are received via a series >> of Access-Request / Access-Challenge >> >> - each Access-Request MUST contain Service-Type = Authorize-Only >> and a State > > Or, respectively, Additional-Authorization, isn't it? No it's an extension/reworking of the concept described in RFC 3576 3.1, but the trigger is an Access-Accept packet with the Service-Type/Additional-Authorization attribute. > >> - the State MUST change for each Access-Challenge response >> I can get into that later > > I can imagine this is with the intention of guaranteeing order and avoiding > (or alleviating) MITM attacks, right? Yes, correct. The packets don't contain any explicit ordering information, so the attributes are just concatenated together in the order they're received. -Arran _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
