> > I think that's a good compromise. An API is fairly unambiguous, whereas
> > the in-band / out-of-band distinction might lead to confusion depending
> > on what you consider the reference point to be.
>
> IMHO, in-band is very clear: EAP is transported by the subject application
> that seeks authentication.
> Out-band is: EAP is transported by a protocol other than the one
> implementing the subject application.
Perhaps it's a bit contrived, but I'd just like to test this definition with the following scenario.
Let's postulate the existence of a WS-Security EAP Token Profile for federating Web Services using EAP. Now imagine someone writes a SOAP web service that composes this profile with the GSS EAP mechanism in order to credential the WS-Security EAP Token Profile exchange used by the Web Service. Both EAP exchanges are happening within the same TCP connection (subject application).
I think in-band / OOB distinction is okay, but I prefer the API approach.
Josh.
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
|