[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Christopher.Carroll@ropesgray.com: RE: draft-carroll-dynmobileip-cdma-04.txt]

To: "AAA Doctors" <aaa-doctors@ops.ietf.org>
Subject: RE: [Christopher.Carroll@ropesgray.com: RE: draft-carroll-dynmobileip-cdma-04.txt]
From: "Nelson, David" <dnelson@enterasys.com>
Date: Wed, 2 Mar 2005 17:24:04 -0500
Cc: "Thomas Narten" <narten@us.ibm.com>

Christopher Carroll has written...

(BTW, its interesting that this correspondence comes from a law firm.)

> It appears that the IETF has recognized that an attribute in the
> Access-Reject is acceptable according to RFC 2869 and RFC 3579.

An attribute, yes.  One that provisions service, no.  Attributes
contained in an Access-Reject are intended to convey to the user why the
access failed.  End of story.

> The expert argues "To provision a service to a denied user would imply
> that they have not been denied access after all."  Regardless of what
is
> implied, the user is explicitly denied access until authentication is
> successful.

Hmmm... Semantic wrangling?  Access-Reject means "no service".  No means
no.

> Perhaps the expert can provide a more substantive reason as to why and
> how the RADIUS security model would be broken by this attribute.

Because "no" would no longer mean "no"?

Prev by Date: RE: [fquick@qualcomm.com: Re: draft-carroll-dynmobileip-cdma-04.txt]
Next by Date: RE: [Christopher.Carroll@ropesgray.com: RE: draft-carroll-dynmobileip-cdma-04.txt]
Previous by thread: [Christopher.Carroll@ropesgray.com: RE: draft-carroll-dynmobileip-cdma-04.txt]
Next by thread: RE: [Christopher.Carroll@ropesgray.com: RE: draft-carroll-dynmobileip-cdma-04.txt]
Index(es):
- Date
- Thread