Re: [Pana] WGLC comments on draft-ietf-pana-preauth-04

To: Alper Yegin <alper.yegin at yegin.org>
Subject: Re: [Pana] WGLC comments on draft-ietf-pana-preauth-04
From: Yoshihiro Ohba <yohba at tari.toshiba.com>
Date: Wed, 11 Mar 2009 17:12:10 -0400
Cc: Basavaraj.Patil at nokia.com, 'Glen Zorn' <glenzorn at comcast.net>, pana at ietf.org
Delivered-to: pana at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/pana>
List-help: <mailto:pana-request@ietf.org?subject=help>
List-id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-post: <mailto:pana@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
User-agent: Mutt/1.5.18 (2008-05-17)

On Fri, Feb 13, 2009 at 11:36:38AM +0200, Alper Yegin wrote:
> > > > In the same section, it appears that "pre-authorization" is simply
> > a
> > > > pre-provisioned filter applied to all traffic but that is not
> > > actually
> > > > clear
> > > > from the document.
> > >
> > > Document says:
> > >
> > > 	Pre-authorization:  An authorization for a PaC, made by a CPAA
> > > for
> > >       the PaC at the time of pre-authentication.
> > >
> > > Not sure where a "pre-provisioned" filter comes into play. Basically
> > > pre-authorization is the state a PaC reaches when it completes a
> > > successful
> > > pre-authentication. And post-authorization is the state a PaC reaches
> > > when
> > > it attaches to one of the candidate networks with whom it has reached
> > > pre-authorization state.
> > 
> > OK, so what relation do these states have to the arrival of AAA
> > authorization?  My comment about pre-provisioned filters pertained to
> > the
> > authorization state before the arrival of a RADIUS Access-Accept
> > message,
> > for example.  As I noted later, the transition between the
> > "pre-authorization" & "post-authorization" states doesn't appear to
> > actually
> > have anything to do with authorization.  In any case, this whole thing
> > is
> > pretty confusing & I think that it would be a good idea to clarify it.
> 
> I agree. 
> 
> There are no two separate AAA authorizations taking place. There is only one
> RADIUS Access-Accept.
> 
> I wonder if we lose anything if we were to drop these new terms: pre-authz,
> post-authz.
> 
> What we really mean to convey is: A PaC is authorized on the candidate PAA
> by means of pre-authentication procedure prior to the PaC's attachment to
> the PAA's network (candidate network). 

Commenting as editor, I need more specific guidances on text changes
with regard to which terms should be used instead of
pre-authz/post-authz.  Can you help?

Regards,
Yoshihiro Ohba

Follow-Ups:
- Re: [Pana] WGLC comments on draft-ietf-pana-preauth-04
  - From: Alper Yegin

Prev by Date: Re: [Pana] WGLC comments on draft-ietf-pana-preauth-04
Next by Date: Re: [Pana] WGLC comments on draft-ietf-pana-preauth-04
Previous by thread: Re: [Pana] WGLC comments on draft-ietf-pana-preauth-04
Next by thread: Re: [Pana] WGLC comments on draft-ietf-pana-preauth-04
Index(es):
- Date
- Thread

Re: [Pana] WGLC comments on draft-ietf-pana-preauth-04

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.