Valery Smyslov writes: > > I don't see how this can be done without breaking existing > > implementations, and therefore I am unhappy with the new sentence in > > -03, "Another example is EAP authentication when the client identity in > > ID payload is not used." A responder that receives a new, unknown ID > > type should IMHO reject the exchange as syntactically malformed. Even if > > some reading of the documents might lead you to think that responders > > should be liberal in this case, I see no benefit in breaking the > > non-liberal servers by using a novel ID type here. > > The text is there because the draft doesn't restrict usage of ID_NULL > to NULL AUthentication only and we were asked to provide > some examples of such usage. I agree that current implementations > won't probably tolerate the described scenario, but I also think that we > should allow ID_NULL to be used in some use cases that might be defined > in the future. > > We may remove this sentence that made you unhappy and replace > it with something like: > > If ID_NULL is used with other authentication methods than NULL > Authentication, then its usage must be defined in appropriate > document. > > BTW, is another example of using ID_NULL in this para is > acceptable to you?
I think removing the sentence saying "Another example is EAP authentication when the client identity in ID payload is not used." would be good. We already have one example in previous sentence (Raw public key) which points out why you might want to use ID_NULL with real authentication, and we do not necessarely need second example. And for the raw public key case, I do not think we need new document describing how it is used with ID_NULL... Of course we need to get the oob-pubkey draft published for that part of text to be really useful. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
