[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HOKEY] a transparent proposal
Bernard Aboba wrote:
>> It is up to that domain to ensure all of it's AAA servers have the
>> same policy. This includes managing state for multiple login detection,
>> and potentially re-auth keys.
>
> Doesn't this imply a significant degree of complexity? For example,
> one argument for the RFC 4507 PAC is that avoiding server-side state
> enables better scaling and authentication performance, because RADIUS
> servers don't replicate TLS key state.
The re-authentication credentials aren't TLS key state, though. From
the current proposals, they're just opaque keys. They may be
*generated* from TLS key state, but once generated, they can be cached
by intermediate servers.
> It's hard to reconcile that
> argument with the idea of having the domain keeping track of server side
> state.
Some server somewhere has to keep track of the re-authentication
credentials.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>