[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: AW: Privacy (Was: Re: NAI decoration: User Identity issues)

To: Barney Wolff <barney@databus.com>, Avi Lior <avi@bridgewatersystems.com>
Subject: RE: AW: Privacy (Was: Re: NAI decoration: User Identity issues)
From: Avi Lior <avi@bridgewatersystems.com>
Date: Tue, 20 Jul 2004 23:13:43 -0400
Cc: Jari Arkko <jari.arkko@piuha.net>, Lothar Reith <lothar.reith@nortelnetworks.com>, "'radiusext@ops.ietf.org'" <radiusext@ops.ietf.org>

Hi

See inline...

> -----Original Message-----
> From: Barney Wolff [mailto:barney@databus.com] 
> Sent: Tuesday, July 20, 2004 6:16 PM
> To: Avi Lior
> Cc: Jari Arkko; Lothar Reith; 'radiusext@ops.ietf.org'
> Subject: Re: AW: Privacy (Was: Re: NAI decoration: User 
> Identity issues)
> 
> 
> On Tue, Jul 20, 2004 at 08:09:18PM -0400, Avi Lior wrote:
> > In proxy scenarios a RADIUS intermediary acts as a server and a 
> > client.
> > 
> > The Intermediary (acting as a server) can *completely* re-write the 
> > username attribute as it sends the access accept message to its 
> > client.
> > 
> > The only requirement is that a Client (in this case the 
> intermediary ) 
> > replace the username that it received from it's server in the 
> > Acccounting Messages that it sends to that server.
> > 
> > Because of this behavior it is *not* guaranteed that RADIUS 
> > Intermediaries or the NAS will actually see what the home 
> network has 
> > placed in the username attribute in the access request.
> > 
> > User-Identity-Alias seperates the routing out and allows us to have 
> > cleaner solutions.
> 
> I think you're confusing IETF standards with laws of nature.  
> If an intermediary wants to conceal the user's "true" 
> identity, it will rewrite User-Identity-Alias no matter what 
> an RFC says.  For that matter, if the home server wants to 
> conceal the identity, it can put random garbage into 
> User-Identity-Alias.

Intermediary could even leave it out.  I understand this all too well.

 
> Surely business models depend on contracts, not just RFCs.  
> Since this is a matter of a business model, not of the 
> technical operation of RADIUS, I don't see any difference 
> between a contract that requires certain treatment of 
> User-Name in Access-Accepts vs one that requires a stable 
> medium-to-long-term User-Identity-Alias.

In the draft we have taken comments (From Nelson and others) that says that
intermediaries MUST not modify the User-Identity-Alias.

So we are trying to clean up the issues.  Cause some roaming relationships
are very complex and involve brokers etc....


> Regards,
> Barney
> 
> -- 
> Barney Wolff         http://www.databus.com/bwresume.pdf
> I'm available by contract or FT, in the NYC metro area or via 
> the 'Net.
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: Re: Redirection Draft v1 is now available for review
Next by Date: RE: Redirection Draft v1 is now available for review
Previous by thread: Re: AW: Privacy (Was: Re: NAI decoration: User Identity issues)
Next by thread: RE: Class vs. UserAlias (Was: Re: NAI decoration: User Identity i ssues)
Index(es):
- Date
- Thread