Re: Issue: Treatment of null Identity Response

[Jari Arkko <jari.arkko@piuha.net>]

I think we should (1) discourage use of empty string in the client for
privacy purposes and (2) document the different current usage in the
NAS side and recommend X for new implementations. I'm leaning on
X being no User-Name but use of CSID instead.

--Jari

Bernard Aboba wrote:

> It certainly makes sense to discourage use of a null 
> EAP-Response/Identity.  If anonymity is desired, then a response of 
> "@localrealm" can be sent instead.  But what should the RADIUS client 
> do if it gets an EAP-Response/Identity with no data?  Should it insert 
> "@localrealm" in the User-Name attribute?  Send no User-Name attribute 
> and include the Called-Station-ID instead?
>
>
> > From: Jari Arkko <jari.arkko@piuha.net>
> > To: Bernard Aboba <bernard_aboba@hotmail.com>
> > CC: Pasi.Eronen@nokia.com,  radiusext@ops.ietf.org
> > Subject: Re: Issue: Treatment of null Identity Response
> > Date: Tue, 13 Dec 2005 16:25:12 +0200
> >
> > Bernard Aboba wrote:
> >
> > > RFC 4282 allows use of a userid without a realm ("fred").  It also 
> > > allows use of a realm without a userid ("@example.com").   So as far 
> > > as I can tell, an NAI without either a userid or realm is allowed as 
> > > well.
> >
> >
> > I think not -- here's the ABNF:
> >
> >   nai         =  username
> >   nai         =/ "@" realm
> >   nai         =/ username "@" realm
> >
> > which seems to imply that its either username, realm, or both. And 
> > neither
> > the "username" or "realm" can be an empty string.
> >
> > > One interpretation is that it represents the anonymous NAI of the 
> > > local realm, and so is equivalent to "@localrealm".  Since RFC 4282 
> > > discourages use of pseudonyms such as "anonymous" it is not clear 
> > > what the preferred representation is for "the anonymous user of the 
> > > local realm".  Under this line of thought, the null userid might not 
> > > only be legal, it might actually be the *preferred* representation!
> >
> >
> > Anyway, even if such a NAI would be legal, I think we should 
> > discourage it
> > at the client side for obvious roaming problems -- of course the NAS 
> > side could
> > still use that.
> >
> > But if I can read (or write) ABNF, then its not a legal NAI...
> >
> > --Jari
> >
> >
> > --
> > to unsubscribe send a message to radiusext-request@ops.ietf.org with
> > the word 'unsubscribe' in a single line as the message text body.
> > archive: <http://psg.com/lists/radiusext/>


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>