see comments inline
abbie
-----Original Message-----
From: Eric Burger [mailto:eburger(_at_)snowshore(_dot_)com]
Sent: Monday, October 21, 2002 10:35 PM
To: OPES Group
Subject: Authentication Requirements in opes-authorization-00
(section 4.2)
Section 4.2 states, "The service provider MUST keep a log of
all requests for OPES services".
Last I looked, the IETF is a protocol standards body, not a
legislative body. Unless the *protocol* REQUIRES the service
provider to keep the log, this is an unenforceable
requirement. I agree that we need to state our sentiment. A
better place may be in the security section.
-- agree.
Likewise, "The trusted users must be authenticated before
being allowed to take actions" is a similar policy, not
protocol statement. The good news is "must" is not
capitalized. However, this statement again does not belong
in this section, and should be a SHOULD.
-- agree
The next paragraph is a place where we can have protocol
machinery: "The PEP's should be authenticated before they
receive policy rules". If we care, then I would propose,
"Because of the sensitivity of user profiles, the PEP
Interface between the PEP and the PDP MUST use a secure
transport protocol."
-- I do see the point.
-- May be we should have a section that referes to good practice, which
include non-protocol related items.
abbie