Donald Eastlake [mailto:d3e3e3@xxxxxxxxx] writes: ... > >> The wording in Sections 3.1 and 3.2 see to almost be designed to > allow > >> the possibility of the multiple *-Cert Attributes carrying a > >> certificate to appear in more than one Access-Request message. But I > >> would assume that's not meaningful and/or was not intended to allow > >> that. > > > > There is no way to do such a thing in standard RADIUS. > > That's what I thought and why I was puzzled as to why there was a more > complex wording that appears to permit this. I suppose it is just the > way the words struck me at the time I read them. But I would, instead > of > > If multiple PKM-SS-Cert > Attributes are contained within an Access-Request packet, they > MUST be in order and MUST be consecutive attributes in the > packet. > > have said > > These multiple PKM-SS-Cert Attributes MUST appear consecutively > and in order within an Access-Request packet. > > and similarly for PKM-CA-Cert. OK. ... > >> This whole table needs to be carefully checked, the > >> inconsistencies resolved, and it should be clear if literal binary > >> attributes or some sort of logical aggregate attributes (in the case > >> of the "Cert" attributes at least), is being counted. > > > > I can add notes to the table regarding the "logical" vs. "physical" > nature > > of the PKM-*-Cert Attributes, as well as a key to the meaning of > "0+", etc. > > Is that OK? > > Yes. You were right, the entries for the PKM*Cert Attributes should have been 0+ instead of 0-1. The Table of Attributes now looks like this: The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity. Request Accept Reject Challenge Acct-Req # Attribute 0+ 0 0 0 0 TBD1 PKM-SS-Cert [Note 1] 0+ 0 0 0 0 TBD2 PKM-CA-Cert [Note 2] 0 0-1 0 0 0 TBD3 PKM-Config-Settings 0-1 0 0 0 0 TBD4 PKM-Cryptosuite-List 0-1 0 0 0 0 TBD5 PKM-SAID 0 0+ 0 0 0 TBD6 PKM-SA-Descriptor 0 0-1 0 0 0 TBD7 PKM-Auth-Key [Note 1] No more than one Subscriber Station Certificate may be transferred in an Access-Request packet. [Note 1] No more than one CA Certificate may be transferred in an Access- Request packet. The following table defines the meaning of the above table entries. 0 This attribute MUST NOT be present in packet 0+ Zero or more instances of this attribute MAY be present in packet 0-1 Zero or one instance of this attribute MAY be present in packet 1 Exactly one instance of this attribute MUST be present in packet Is that OK? ... _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf