[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AW: Privacy (Was: Re: NAI decoration: User Identity issues)
On Tue, Jul 20, 2004 at 08:09:18PM -0400, Avi Lior wrote:
> In proxy scenarios a RADIUS intermediary acts as a server and a client.
>
> The Intermediary (acting as a server) can *completely* re-write the username
> attribute as it sends the access accept message to its client.
>
> The only requirement is that a Client (in this case the intermediary )
> replace the username that it received from it's server in the Acccounting
> Messages that it sends to that server.
>
> Because of this behavior it is *not* guaranteed that RADIUS Intermediaries
> or the NAS will actually see what the home network has placed in the
> username attribute in the access request.
>
> User-Identity-Alias seperates the routing out and allows us to have cleaner
> solutions.
I think you're confusing IETF standards with laws of nature. If an
intermediary wants to conceal the user's "true" identity, it will
rewrite User-Identity-Alias no matter what an RFC says. For that matter,
if the home server wants to conceal the identity, it can put random
garbage into User-Identity-Alias.
Surely business models depend on contracts, not just RFCs. Since this is
a matter of a business model, not of the technical operation of RADIUS,
I don't see any difference between a contract that requires certain
treatment of User-Name in Access-Accepts vs one that requires a stable
medium-to-long-term User-Identity-Alias.
Regards,
Barney
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>