Re: [Emu] Identities and draft-ietf-emu-tls-eap-types-03

Tim Cappalli <Tim.Cappalli@microsoft.com> Tue, 03 August 2021 14:01 UTC

Return-Path: <Tim.Cappalli@microsoft.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97C9C3A24E1 for <emu@ietfa.amsl.com>; Tue, 3 Aug 2021 07:01:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rV4hW-4LnLGq for <emu@ietfa.amsl.com>; Tue, 3 Aug 2021 07:01:29 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650110.outbound.protection.outlook.com [40.107.65.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 980803A24DD for <emu@ietf.org>; Tue, 3 Aug 2021 07:01:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LH+X5Thqfes0dB4B/Ie/aqMxjaNB4TqvmHrTqn9nWl++0D0OApigmoBW9J6a+6vm9vwAkHGDXFQQIDCWNRZ/rQBdqASZ64DL/VP1NRDT96BaV4h/r/8xVUoFGsiv+S47VTo9ie/e7R/YaXXA4Ub9wzLcjIfl6fCd7nOF364LA4llnFzlRjPXR2P0BlxKn2rzYSuy05yebGbsGdBds6znkWlhRafMD/AuSGT4+lBTAxKTac2VYWUR+lSsQOM993tkKNwHbOMVNaO6ZsXXY5FQSctVxJSWoZnEOreIxdEAC1cJzP+X10gGnQEwAyXJeWnEeLPgDtWoWhpoqmq4lsH8/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CVz60Ps2lb9lJdo/gt9iHgdaIPoMufFMSaf70f4jARQ=; b=eQ9dt9g9gyJDRGNmpPykQngw/f0+zEgLyDsj2r+EzKUq3Ek+xcKvmVCSic0potLyvSNYBofxe3f1MbnXoOmMeeJ1o3S2TVNngtBDU2oQtvXesuPWuHzL1j71iF1OsYInJr/ANnW3vEACHhCr7QkWpHN8vjBoD7aOSf82LOdt/aHchyI0Nj565wThfBjVI5YXyjys8clp/HyPeYWW3MZWiDDk+X9bGbll0ult5PuT22u+iOjjRO6POFwsMx5DR8+aAHuw0yiMpXM00xJUV9wHXjEQTI8JoG38lHdWN97sh5tXZbvgCc39EQsXL/+tNPtJ5aMcsrctxZT8EJrg6K6MDA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CVz60Ps2lb9lJdo/gt9iHgdaIPoMufFMSaf70f4jARQ=; b=OVZQP7Lw0xUmwcVfg5fMlJf8BhgN3xoYFm2aFFFIKuHECFKEefwuDN4jv6iBSB1HKRAlaWdWIqUgVBdop4TYfNirsmbVqqIn0poCqN8wETLtHaW+7BquuSmuUc5C0PGidJ1VKlM8VctrhvpKIvfI0TrG3Wwja2rOHexWGSZjdxc=
Received: from SA2PR00MB1002.namprd00.prod.outlook.com (2603:10b6:806:11a::8) by SN2PR00MB0174.namprd00.prod.outlook.com (2603:10b6:804:14::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4421.0; Tue, 3 Aug 2021 14:01:25 +0000
Received: from SA2PR00MB1002.namprd00.prod.outlook.com ([fe80::7861:b7ec:b9c2:21db]) by SA2PR00MB1002.namprd00.prod.outlook.com ([fe80::7861:b7ec:b9c2:21db%7]) with mapi id 15.20.4430.000; Tue, 3 Aug 2021 14:01:25 +0000
From: Tim Cappalli <Tim.Cappalli@microsoft.com>
To: "aland@deployingradius.com" <aland@deployingradius.com>
CC: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Identities and draft-ietf-emu-tls-eap-types-03
Thread-Index: AQHXghPUZx++8U9H3kG6COe1gsBotqtbweqAgATzoAaAAQoQAIAAHAWj
Date: Tue, 3 Aug 2021 14:01:24 +0000
Message-ID: <SA2PR00MB10024E64C25E84C753A1C78D95F09@SA2PR00MB1002.namprd00.prod.outlook.com>
References: <502A7B31-1177-477D-B177-D415BAF67E61@deployingradius.com> <F810992C-CD75-493B-ABFB-F56AB838C90F@deployingradius.com> <CO1PR00MB0996467D20415461A83119EA95EF9@CO1PR00MB0996.namprd00.prod.outlook.com> <010AEE0C-2B4B-456B-8022-5FCEF2D6A5CB@deployingradius.com>
In-Reply-To: <010AEE0C-2B4B-456B-8022-5FCEF2D6A5CB@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-08-03T14:00:17.3566607Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard
authentication-results: deployingradius.com; dkim=none (message not signed) header.d=none;deployingradius.com; dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ff8fd9da-1d19-4402-e56e-08d956872e88
x-ms-traffictypediagnostic: SN2PR00MB0174:
x-microsoft-antispam-prvs: <SN2PR00MB017478B24ED63EC175030BA195F09@SN2PR00MB0174.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: e0j+FF9Hz36X4elnRNZnKTscl/kypkKyj5VlyYiT5cvYoRWQmyd+IuYj4cLUuC/TuUo39zP73OQozYGc68xViSxbYwI8LHeVOhR2HfcL4LwwNdPHL11GVBijI7bhVy23D4XqSeyycKVBP34xghilYgabpLiyngIv1Vg8QVEzvgMvyReAkgod6G0WDmYZCH/U9XlvADt9mMgXpEOzgYCravdfwFP153Kh4joa7asw7fWCkWsvfJ7NJm3b+MiTWIXRnmCGmTA1pgc8xuyGphr82JikU44VWCxOLmbh2brxhNjD67ZbqAzL9OTQXcK4ncozJzI379alAldF4siC99L11fFatT0ypw+wWPiS1vZzvqXFBnE8MvW8+f2C5TLFMBF9wSWISqlU2z1YNxsnkIVWgF8LbgI/lzw3QPl2ppfjj1NOOaR47QwkuNaMTW9e6HlmL/l+xzN1F2UJ/B+qPcQedNfpEBwxDw4z0TQ2DWYDhxFy+NEV03a7CNT00op1M0XxjwKEteSx4fP7iDTmqoElFt5IQKanRojkE+RRy2Jo6KgK+Ka2jTBHs9BhzOEDnZbADu7tX6mSm9gfiHOAMEPPh6VcAWukwg/oxSjowT3GxmKoIwr7cAj2n12YvSRbdoLgHV8YGqXnWLZCAI5n5VHeuPNGL3bvO6Sf6vy77pkOTDQ7o8RwOkWMIbY8sc4HW0NCblHBzam8T57Jogf+bL40Ww==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA2PR00MB1002.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(5660300002)(10290500003)(83380400001)(91956017)(55016002)(82960400001)(82950400001)(4326008)(9686003)(76116006)(33656002)(66946007)(66476007)(66556008)(66446008)(64756008)(52536014)(71200400001)(508600001)(53546011)(6506007)(122000001)(38100700002)(2906002)(6916009)(8676002)(38070700005)(316002)(7696005)(8990500004)(8936002)(186003)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?JhT8M1slnwRqOxKd3TiK8LzFIBOP7+S8u3tEhTtFAw3nMMkGGp/iF9Vgg0ZC?= =?us-ascii?Q?VN18NS/cPyOwHY1LJLf3kdwUc+/wjUj678zHMaHR5r6czPQMUU/0LvF4zAx9?= =?us-ascii?Q?VTHb47oC+KzZjFVNW7w62bsoiC2NzK9sA3lJ21mmxxGcGvyz0JEaoBmIW/8S?= =?us-ascii?Q?tPX5k1I4Xz1ZIMIfOW8OurJbkMvaWiZw54lKG6l1npgFGH77IK4kJOOkVC+Z?= =?us-ascii?Q?0okOOOayG4QQ66I1miEGh0F0RfihTf5BeU9b746uPwXLsjFhdB4PL+XEidW/?= =?us-ascii?Q?Ueguq4rOzppW9/07McNF607rWJPciUc4Yebplemoo+jTWPwU2LciP7Kd+fu2?= =?us-ascii?Q?Kbjs1WlfkfgIyTl+dGt6lffGejkbRuYLY4t7XuvRccgE4RhfnqJcI8Byawwt?= =?us-ascii?Q?J+o81la3GQBqSGOPRkVuB8pTQDV8n8ytkQ9FDRjZcxFITByVS6ZnilJmSHmq?= =?us-ascii?Q?GArckjLEFOV7l4ifYwHhofSPZbOxPVb6aETYTmCcP7rfRFyIHERQxhHG0zKn?= =?us-ascii?Q?XGoOr8CNRl173EUDV9Z7IUzbw+o4TcEpCP1DX6/cloTcl+8KDBHczXnuhLqs?= =?us-ascii?Q?8eTzC2DE4nSYjKc5W8lNeA23pvpBxG1cJehs8Wtxzdl8bIdQC81c+jE9jwDX?= =?us-ascii?Q?bIzGIcuy6WgvyFRPnIEcEwjdS9l+KhvISUBBAfuaqtMJqzD5wEaL+818dhqU?= =?us-ascii?Q?3+XsCjLClSyka4EhSm2J3J3R1jTtfuynJpm6eqrmE/dfu70V6ojIFglrH2bl?= =?us-ascii?Q?pE2vmkYGDDmb0pXNbiFw24DyajEDmF15Dgn75M008lBqhsePvHgXqwBFCz+m?= =?us-ascii?Q?nmdJWU9GY4XubS/eFMli5SRmC6+Qe6FOrqXbpmQFR7Mjdn6a0YJt1Q/IicLq?= =?us-ascii?Q?wp3aBcNsqa/chjY3jMhAL4RLJIZ2pPePMKC12WAXrDGrzkcOxEet3dso0xH2?= =?us-ascii?Q?2ThDXTJYEVbS+kzNWQOoB9QZawaLBMXZQ2MlQCvraj9Ja6n4oD0Umd/EU4dZ?= =?us-ascii?Q?QEPIr9veXeWcGythqky3TByzglmCWthbg6+dMlRCj9XMI/yjIQB9FI2ZZa7D?= =?us-ascii?Q?nrSoCqOTPdbFpMTqgm8SeruUCBv647FhrMX1ufpFtiuqV2yyF2LWHKjFSZ2J?= =?us-ascii?Q?l11uhqXkTAQfs0yNr+f3cHFFaL9RPx8pGioofHMJM+JtLJ5/6AkNcxcPEZRn?= =?us-ascii?Q?rhA9JaurUK2Was/TwPlc+YHHFeW63Lglpea/rvHUlMNBXD82QWiHB0tGTHx/?= =?us-ascii?Q?jMY7qHYzwoSipENIHW9mZ5/hBQyJpNenizxXUug5B2Z/m35KYVFNYaQx+S1P?= =?us-ascii?Q?2oMB/g2lTrrq212x3JMR19sjXRPOJIcwaSE3Y0QEjGzUiw=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SA2PR00MB10024E64C25E84C753A1C78D95F09SA2PR00MB1002namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA2PR00MB1002.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ff8fd9da-1d19-4402-e56e-08d956872e88
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Aug 2021 14:01:25.0096 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Lf/LEzwWm/2V3ViOEsv4RTX5ulZJE7IDMFc39coEu+9zs3D6InZcjtq/7hmCjI2JVZftzzBx4+P6RwERtciBDw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR00MB0174
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/7DTU2Eqz8ixuMIIRLU25RZWpOM4>
Subject: Re: [Emu] Identities and draft-ietf-emu-tls-eap-types-03
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2021 14:01:35 -0000

I fail to understand why this is "a terrible idea". Many organizations, including EDUs have multiple TLDs that are used for sign-in. Cloud IdPs require a fully qualified username.

I don't think there should be any text on this topic.

From: Alan DeKok <aland@deployingradius.com>
Date: Tuesday, August 3, 2021 at 08:20
To: Tim Cappalli <Tim.Cappalli@microsoft.com>
Cc: emu@ietf.org <emu@ietf.org>
Subject: Re: [Emu] Identities and draft-ietf-emu-tls-eap-types-03
On Aug 2, 2021, at 4:32 PM, Tim Cappalli <Tim.Cappalli@microsoft.com> wrote:
>
> >> However, if the outer realm is "@example.com".com", then the inner realm cannot be "username@example.org".org".
>
> I disagree with this requirement. Many organizations have multiple domains used for fully qualified usernames but for routing simplicity, may want to use the org's primary domain for routing.
>
> It should be perfectly valid to configure an outer realm of @microsoft.com but have inner identities with other domains (ex: tim@github.com, tim@linkedin.com, etc)

  Does this happen a lot?  I must admit I've rarely seen anything like this.

  On top of that, enterprise routing is much rarer than in educational systems like Eduroam.  While enterprise "roaming providers" exist, they're typically not doing 802.1X.  So there's only one identity for them.

  OpenRoaming is new, and enterprise, and 802.1X.  But it's not widely used, and the identities are typically automatically provisioned.  i.e. to your phone, via the telephone provider.  And there's no "legacy" issues, so the outer identity is for routing, and the inner identity is controlled and provisioned by the provider.

  So I can't think of many good reasons to have different outer/inner realms.  The use-cases are small, and rare.

  I'm OK with not forbidding it.  But I think there needs to be strong language saying "this is a terrible idea, and you really need to think hard before doing anything like this".

  Alan DeKok.