Mary Barnes said:
"It doesn't explicitly "forbid" the use of digest authn, but if it
can't depend on client support, then it can't really base any decision on
it."
The question isn't just about an authorization decision. There is also the
issue about what
the LIS is supposed to do with client authentication information if it is
provided. How is
this information reflected in the PIDF-LO that is returned in a HELD response?
Ben Campbell said:
"The part I was trying to highlight was the lack of client device
authentication, not LIS authentication. If I read 9.1 right, it only
covers authentication of the LIS. I assume there is no expectation that
client devices present TLS certs to the LIS, right?"
There are multiple potential identities that a device (and a user of that
device) could assert and authenticate against.
Currently the document only talks about use of the IP address as an
identity, and says little about authentication.
However, the PIDF-LO objects that are returned in HELD responses contain
multiple identification fields. Currently the document says very little about
how these fields are filled in. That leaves the protocol under-specified.
Issues of protocol behavior that are this basic shouldn't be left to an
"extensions" document.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf