Vidya, I found the model you proposed didn't fit what Dan was talking about very well. In particular, Dan wants to focus on problems resulting from the fact that the name of the authenticator used between the peer and the authenticator may be different than the name of the authenticator used between the authenticator and the AAA server. That distinction did not figure prominently enough in your argument that I could tell whether you and Dan are talking about the same thing nor whether I could even tell if I agreed with you. I'd recommend refocusing your model on this distinction; I think once you do we may well make significant progress on discussing a long-standing issue. --Sam _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf