Re: AW: Privacy (Was: Re: NAI decoration: User Identity issues)

[Barney Wolff <barney@databus.com>]

On Tue, Jul 20, 2004 at 08:09:18PM -0400, Avi Lior wrote:
> In proxy scenarios a RADIUS intermediary acts as a server and a client.
> 
> The Intermediary (acting as a server) can *completely* re-write the username
> attribute as it sends the access accept message to its client. 
> 
> The only requirement is that a Client (in this case the intermediary )
> replace the username that it received from it's server in the Acccounting
> Messages that it sends to that server.
> 
> Because of this behavior it is *not* guaranteed that RADIUS Intermediaries
> or the NAS will actually see what the home network has placed in the
> username attribute in the access request.
> 
> User-Identity-Alias seperates the routing out and allows us to have cleaner
> solutions.

I think you're confusing IETF standards with laws of nature.  If an
intermediary wants to conceal the user's "true" identity, it will
rewrite User-Identity-Alias no matter what an RFC says.  For that matter,
if the home server wants to conceal the identity, it can put random
garbage into User-Identity-Alias.

Surely business models depend on contracts, not just RFCs.  Since this is
a matter of a business model, not of the technical operation of RADIUS,
I don't see any difference between a contract that requires certain
treatment of User-Name in Access-Accepts vs one that requires a stable
medium-to-long-term User-Identity-Alias.

Regards,
Barney

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>