On Wed, 23 Jul 2025 at 11:16, Alan DeKok <alan.dekok= 40inkbridge...@dmarc.ietf.org> wrote:
> This is a minor comment. > > Section 6.1: > > A peer supporting EAP-PPT MUST NOT send its username or any other > permanent identifiers in the first and subsequent EAP-Response/Identity > messages. The EAP-Response/Identity message MUST contain only realm portion > in order to route the authentication request to the right EAP server. It is > RECOMMENDED to eliminate the identity exchange altogether if the route is > known through some other means. > > This text could be confusing. Plus, I'm not sure that it's possible to > eliminate the identity exchange. I would suspect that empty identities > could also have interoperability problems. > I'd also keep the identity exchange. In many cases it's required, for example wired and wireless networks 802.1X authenticator requires it. When it's really not needed, such as IKEv2 [1], those cases can give further advice when and how to drop the initial Identity-Request/Response exchange. [1] https://datatracker.ietf.org/doc/html/rfc7296#section-3.16 EAP-TLS uses word "typically" when it talks about the identity exchange being used when EAP-TLS starts. https://datatracker.ietf.org/doc/html/rfc5216#section-2.1 Easiest update in the draft could be just to drop the sentence with 'RECOMMENDED' altogether, or use a lower case weasel word if something needs to be said. Using an uppercase RFC 2119 key word looks a bit too strong in my opinion. That may cause a developer to come up with an option toggle etc. that is unnecessary just to satisfy RECOMMENDED. -- Heikki Vatiainen h...@radiatorsoftware.com
_______________________________________________ Emu mailing list -- emu@ietf.org To unsubscribe send an email to emu-le...@ietf.org
