Hi Dan, On May 4, 2011, at 9:47 PM, Dan Harkins wrote:
> > On Tue, May 3, 2011 10:30 pm, Yoav Nir wrote: > [snip] >> The Authenticator needs the true identity to make policy decisions. > > Well then DO NOT use EAP for authentication. > > Dan. I'm sure I don't understand your point. The IKE responder does not need to know whether the user's true identity in the sense of whether she is a cat person or a dog person. "al...@example.com" is good enough for policy lookups and policy decisions, as well as for generating meaningful logs. "1542a0f74aef5...@example.com", where the part before the at-sign is a hex representation of an ephemeral key is not. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec