$Id: draft-ietf-isms-radius-usage-05-rev.txt,v 1.1 2009/05/05 16:12:55 ekr Exp $ This document is about the use of RADIUS servers with SNMP "transport models" (security protocols such as SSH used with SNMP). As far as I can tell, the idea is to explain how to outsource some of the authorization decisions to RADIUS. I found this document extremely difficult to read. I realize that the intended audience is for people with a lot of RADIUS and SNMP experience, but despite some familiarity with them, I had to work fairly hard to figure out what it was trying to say and I'm still not sure. This document would benefit very greatly from a diagram explaining how the authors think things are supposed to work. My big question is how the user authentication decisions are expected to be split between (e.g., SSH), and RADIUS. For example: - If the user has a password, who checks it the RADIUS server or the NAS? RADIUS certainly can do this. - If the user is authenticating with SSH pubkey auth, who checks that? These seem like important architectural issues but I'm not getting them out of the document, and they should in particular be in the security considerations. IMO, this document would benefit from a rewrite that makes it a lot clearer to someone not enmeshed in the WG. S 2. I don't understand what the difference is between service authorization and access control in this context. S 2.3. I don't get the SHOULDs here. If you're defining how code points are set, why are these optional?