>>>>> "Josh" == Josh Howlett <[log in to unmask]> writes:
Josh> Sam,
>> In some ways it might be better if we didn't use EAP in
>> passthrough authenticator mode but instead had peer-to-peer
>> credentials.
Josh> Agreed. Actually this had been my working assumption :-)
OK. It adds a fair bit of code and complexity to mech_eap.
This is particularly true because we then need to add a credential
database to the acceptor's EAP server. GSS doesn't have a good way to
handle that; that's actually one of the problems with using a GSS
interface to a mechanism like SCRAM.
Also, it reduces credential re-use when you have multiple peering points
between organizations.
Adding this to mech_eap is not something we speced or anticipated.
Roughly I'm trying to figure out whether given where we are now we want
to try and go add this support.
|