Re: Scope of applicability for CUI

[Jari Arkko <jari.arkko@piuha.net>]

Hi Avi,

Continuing the requirements discussion still for one
part:

> Regarding legal interception:
>
> Yes they may want certain CUI forms but Opaque may also sufficie.  For
> example, with Opaque values they may insist that the issuer of the opaque
> CUI not reuse any of the values for six months. That is, they may issue a
> new opaque value for the a identity every month. But will freeze the value
> for 6 months.
>
> Then the law enforcement agency (LEA) can then issue a court order and
> require that the issuer of the opaque value resolve it back to the user
> identity.

If legal interception is a requirement, I'm not sure the
above is sufficient. There are multiple organizations and
countries involved. If I am visiting in country X and they
want to intercept all my usage in that country, it does
not help if CUI indicates "1245@anisp.countryY" -- particularly
if X and Y don't want to reveal to each other who they are
tracking. From the point of view of the access network and
country X, its much easier to just require cleartext CUIs...

(I'm just guessing that this might be one of the reasons
why people want to have non-opaque CUIs. It would be good
if someone could confirm this.)

--Jari

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>