I'm assuming you have chosen XML for the provisioning file? That's
fine.
I realize the following comments look like a lot. However most of them
are quite small: your approach looks fine, I just have some feedback on
details.
1) I'd prefer <identity> to <idcard> The fact that they are represented
as cards seems to be a feature of our UI not an important property of
the abstract model.
2) <display-name> not <name> Rationale: the emphasis is that this name
should be displayed to people.
3) What's the password encrypted with, how and why?
Password is presumably optional.
4) Realm not issuer. Again, it's an artifact of this interface that
we're calling the realm an issuer.
5) The example services are of the wrong form. A service would
typically look something like [log in to unmask] I.E. it
is a hostbased service name in the sense of RFC 2743. The exact details
of the name form are described in draft-ietf-abfab-gss-eap. You probably
should not parse these, but yous should expect there will be a lot of
them and that there is typically a hostname component.
6) The service selection rules have internal structure (pattern and
always_confirm flag) you don't show.
7) The two alternatives are either (ca_cert+subject+subject_alt (all
optional)) or (server_cert). You have the trust anchor alternatives
slightly wrong.
Your message does not cover administrator files which can contain
identity selection rules.
|