On Fri, Jun 12, 2020, at 23:59, Kyle Larose wrote: > > ** Section 2.3. Perhaps this is too pedantic, but should the obvious be > > explicitly called out: the user equipment should only be able to check it’s > > own > > captivity status? This would be some explicit notion of authorization. > > I recall discussing this, but I don't think we settled on a good, > simple solution. I'm > fine pointing out that the user equipment should only be able to check its own > state of captivity, but I worry that discussing authorization will > open a large can > of worms. Do the chairs have an opinion on this?
This is a reasonable requirement to state, as it motivates the existing discussion of identifier selection. A good part of the discussion we had around choosing identifiers was around the point of implicit identification and the potential for that to be spoofed. That spoofing might circumvent authorization was largely implicit, but it doesn't hurt to be explicit. Cheers, Martin _______________________________________________ Captive-portals mailing list Captive-portals@ietf.org https://www.ietf.org/mailman/listinfo/captive-portals