[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Chargeable-User-Identity

To: "David B. Nelson" <dnelson@elbrysnetworks.com>
Subject: Re: Chargeable-User-Identity
From: Tomasz Wolniewicz <twoln@umk.pl>
Date: Mon, 10 Aug 2009 17:18:01 +0200
Cc: radiusext@ops.ietf.org
In-reply-to: <880C516331C547EAABBAA997C2002593@xpsuperdvd2>
References: <4A7FBEFA.2030702@restena.lu> <7EAFF0A0A1794D3EBD594F70458D9983@NEWTON603> <4A80250A.8050808@restena.lu> <880C516331C547EAABBAA997C2002593@xpsuperdvd2>
User-agent: Thunderbird 2.0.0.22 (Windows/20090605)

David,
  let me jump in here.
David B. Nelson wrotes:
> Stefan Winter writes...
>
>   
>> It is of course possible to use long-lived IDs.
>>     
>
> OK.
>
>   
>> Our concern comes from using long-lived, *globally
>> valid* IDs.
>>     
>
> Globally valid?  CUI was intended to be valid only to its issuer, i.e., it's
> a "cookie".  All other bets are off.  I see that your use case requires a
> globally unique surrogate user identifier that NASes and Proxies can use to
> build user blacklists.  I'm not sure that the definition of CUI exactly fits
> the bill, in that it's possible for two disjoint home AAA servers to issue
> the same CUI for completely different users.  Unlikely, perhaps, but
> possible.
>   
Well, CUI is intended for mainly accounting purposes, and it is passed
from the home AAA server of the user to the visited organisation, which
can then do its accounting based on the CUI value and pass the bill to
the home site. Right?

CUI is supposed to persistent (or semi-persistent) but in a structure
like eduroam, where the home institution does not know where the user
currently is, we would have no option but to set the CUI to the same
value (for a given amount of time), regardless of the user location.
This is what Stefan calls a "globally valid" CUI. For our needs (and
probably also for most other roaming scenarios) it only matters that the
CUI for a given user stays the same when communicated to the same
visited network. If it is another network, then we can use another CUI
value.
We do not want to have a chance of sites collecting their data together
and create user mobility profiles.
So, when we generate the CUI value we want to feed in the User-Name and
the visited network identifier and produce an opaque value.

This is why we want a visited network identifier passed to the home
institution.

Cheers
Tomasz Wolniewicz

-- 
Tomasz Wolniewicz    
          twoln@umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: Chargeable-User-Identity
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>

References:
- Chargeable-User-Identity
  - From: Stefan Winter <stefan.winter@restena.lu>
- RE: Chargeable-User-Identity
  - From: "Dave Nelson" <d.b.nelson@comcast.net>
- Re: Chargeable-User-Identity
  - From: Stefan Winter <stefan.winter@restena.lu>
- RE: Chargeable-User-Identity
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>

Prev by Date: RE: Chargeable-User-Identity
Next by Date: RE: Chargeable-User-Identity
Previous by thread: RE: Chargeable-User-Identity
Next by thread: RE: Chargeable-User-Identity
Index(es):
- Date
- Thread