|
Mary Barnes said: "It doesn't explicitly "forbid" the use of digest authn, but if it can't depend on client support, then it can't really base any decision on it."
The question isn't just about an authorization decision. There is also the issue about what the LIS is supposed to do with client authentication information if it is provided. How is this information reflected in the PIDF-LO that is returned in a HELD response?
Ben Campbell said: "The part I was trying to highlight was the lack of client device authentication, not LIS authentication. If I read 9.1 right, it only covers authentication of the LIS. I assume there is no expectation that client devices present TLS certs to the LIS, right?" There are multiple potential identities that a device (and a user of that device) could assert and authenticate against. Currently the document only talks about use of the IP address as an identity, and says little about authentication. However, the PIDF-LO objects that are returned in HELD responses contain multiple identification fields. Currently the document says very little about how these fields are filled in. That leaves the protocol under-specified. Issues of protocol behavior that are this basic shouldn't be left to an "extensions" document.
|
_______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf