Re: [Emu] Identities and draft-ietf-emu-tls-eap-types-03

Tim Cappalli <Tim.Cappalli@microsoft.com> Tue, 03 August 2021 15:16 UTC

Return-Path: <Tim.Cappalli@microsoft.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 512AA3A26DF for <emu@ietfa.amsl.com>; Tue, 3 Aug 2021 08:16:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AnCd8BkXUiqh for <emu@ietfa.amsl.com>; Tue, 3 Aug 2021 08:16:36 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640103.outbound.protection.outlook.com [40.107.64.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79D953A26F7 for <emu@ietf.org>; Tue, 3 Aug 2021 08:15:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KgVZHKYXiLGEZ4fQUiSGnO7J6dNByl6+LluOyxYLeDXLRIMrBAHPqkNWVLKxlrFbQIEfCgjK6Pr6uy+yNleFDSjK2vMZk0gq/Zv7u/oo5UpFtT8jVi8xUhptTHXDES5md2eXGqfpfg0tCMEcFRw8yNYVgE4UWr+u0zKd0wQ8VHALTBAiwHqxS2amySVXeKm4Jd7ug4LrF7IrZZlIYJceqPkx6CpDWGcD2NVm+8Pu81z9gVLbltEj9VZ7EDG8z6GUgL9X8GIv/KyJ8TdM60zOyvYQzs2S2b/48dg+/TdDR6lpPS4cCajAARF5li+M2jXs2KqtCks/Y8pWwF80BRSDCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=afD6pyoPuCDjzyJkFnT+zF5YkHYO9+cYLNYfePumPtM=; b=M0nr1uIj9CQD8W4RBBkLlIjzWm080untibGTpkwNxZhG541kj1xd+2ou4LjuZK+msuFL9DAjnb0hq7tLcDp55pOPtL+oP7UAUN64QYGuLKmizYnXKEeVFEIQqNEXVVapf62OpEcMt0dQJUJZOfwn133ckRQzkk3eUMluMMQFWq4UfDtpGJqXzkgtMCxD54/2aZQEtDSmKfkm8zqjYQOeF99IstSdoSzeqEZ/OUbeu9X9QIWHDQu59quUcvnicjUB0IZTWT8n18rO/g5RZtE7IF+9cPgULwdDMnkun9vcj5FCynzAnKZ07X5iwUJxbRH9MgMYZW7lNwaDo+bmO8Zg3Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=afD6pyoPuCDjzyJkFnT+zF5YkHYO9+cYLNYfePumPtM=; b=TImIIhSR1E5vYCQMJbJR4hkRVuq1shLnbmGX52WU/5FMUbV4pRw/moU7NcJjX8uvFRYJUOwLFG8NB+ABMapmc4cm6m1YE5RHfsNxLmzNK1fJAcYaVbixYpqLRm5aRrLB+aSqcioDRDa7rozNAD4sp5oETrIQJKqWvFwsqKpxAYs=
Received: from SJ0PR00MB1006.namprd00.prod.outlook.com (2603:10b6:a03:2ac::12) by BYAPR00MB0629.namprd00.prod.outlook.com (2603:10b6:a03:106::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4430.0; Tue, 3 Aug 2021 15:15:49 +0000
Received: from SJ0PR00MB1006.namprd00.prod.outlook.com ([fe80::7d1b:d42c:e3b2:75d8]) by SJ0PR00MB1006.namprd00.prod.outlook.com ([fe80::7d1b:d42c:e3b2:75d8%7]) with mapi id 15.20.4430.000; Tue, 3 Aug 2021 15:15:49 +0000
From: Tim Cappalli <Tim.Cappalli@microsoft.com>
To: "aland@deployingradius.com" <aland@deployingradius.com>
CC: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Identities and draft-ietf-emu-tls-eap-types-03
Thread-Index: AQHXghPUZx++8U9H3kG6COe1gsBotqtbweqAgATzoAaAAQoQAIAAHAWjgAAN9wCAAAbmCA==
Date: Tue, 3 Aug 2021 15:15:49 +0000
Message-ID: <SJ0PR00MB100665A734958F27868A9F6695F09@SJ0PR00MB1006.namprd00.prod.outlook.com>
References: <502A7B31-1177-477D-B177-D415BAF67E61@deployingradius.com> <F810992C-CD75-493B-ABFB-F56AB838C90F@deployingradius.com> <CO1PR00MB0996467D20415461A83119EA95EF9@CO1PR00MB0996.namprd00.prod.outlook.com> <010AEE0C-2B4B-456B-8022-5FCEF2D6A5CB@deployingradius.com> <SA2PR00MB10024E64C25E84C753A1C78D95F09@SA2PR00MB1002.namprd00.prod.outlook.com> <401598CD-BB36-413A-A866-8ADD9EDAC4ED@deployingradius.com>
In-Reply-To: <401598CD-BB36-413A-A866-8ADD9EDAC4ED@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-08-03T15:14:57.0321599Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard
authentication-results: deployingradius.com; dkim=none (message not signed) header.d=none;deployingradius.com; dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a8324067-28cc-4220-c74b-08d9569193a5
x-ms-traffictypediagnostic: BYAPR00MB0629:
x-microsoft-antispam-prvs: <BYAPR00MB0629623D568A152105FDA0CF95F09@BYAPR00MB0629.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YDt6PUDSbTI3wh3N3+tEHB8az1P1VirIEhySTiMGaj3wl3EGcYXevfssDL70wEsd1zx97wjATWDwhBvoG1OOpfffEbShUZfCEhrqSrt9T1GaPOEl9sElZlRNV6vPqBX1+TfLHHqoXEvP98IpznWWvR72KoWsNNdXyvjRIwtCF5CGgOgoQGAYwzTpYmFMkVLj6IEN12AwMh9ch9+7T3e9TicPaL/vfINhoEY5v0kXiX/kRTTbsWt+h5VdB7z8tMYD0bMdPHGLNdVay5tb+JmF0iqR8uEva+zHV1xqHVS463IZ7QLBtrCsBpz8EwPVAzMDehZsQ3yk8BuXXb/Uk/JtF8OVriHbxcY9SCrJ1008HzoiUIF5aa73+TSutqpTdrlQDj1TbV+Km2XI/gnU1yx8hB3n4DXR8sD6sdu++2+eVOTD+s393LEReNOdL1gOD3ngTj66JOACVzlGwnMd7eyg+h/0sp47MTwRpr7Q9Xql8XPfPHWecZhHrceHzn/5Lzy62vd7dMRNRNWlAtnLezNbiP4NbKy8nYG7j7PqJlH3jPfQLR/xjpCGcqbD/5zihAiCunwx6Z+I9RcFX0Kn+k4ckOcKYXtJMq9iAQNoPTWxFQKMmi0uJ+H2fzsa/XwEc2t2FvPUile5ogLebNHUkFGF81CTVW0z2b2AnqsohkaLdfXGWFup6P2iU4Wu7Pzsjsr/dwJ0H+KMbqhz9iFJMkyvuQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR00MB1006.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(83380400001)(186003)(91956017)(316002)(76116006)(66946007)(66556008)(66476007)(2906002)(33656002)(4326008)(64756008)(6506007)(66446008)(86362001)(55016002)(8990500004)(122000001)(52536014)(9686003)(82950400001)(6916009)(82960400001)(38100700002)(53546011)(7696005)(5660300002)(71200400001)(10290500003)(8936002)(38070700005)(8676002)(508600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?ikmJ6Q90kQy/WfTciYXHcFhH2oDHhjD4wmnaMT1J2Be8DF4QH2D1vSYGN8hl?= =?us-ascii?Q?EPte6LOnSsZg1hlfh+DeEBEn4CnjtiySth69rSnf1EWSw2lZGXLE+7Q1QF9e?= =?us-ascii?Q?Gut6A9oNzhOI10gl3XRN6khhTCV3HATbsySahQrFv1Jz/ka4zvvfPas0XBdJ?= =?us-ascii?Q?nc9s0ge+pTz6sa6oWvHPi5TYkCj2Z99kJkwyQLgURdD07MOklETnPZKosFaa?= =?us-ascii?Q?qcbw7yxJV1De514Wwlg6HgA0yhXX54BJWAks4CpY3ZeNSVBUMbWWhUmFdR7W?= =?us-ascii?Q?6Wi/4ElczryzZiIWvhrEEvg68pnOwdFgXTDyUiVV31ZdZa67poA9joeIJ6kq?= =?us-ascii?Q?hgvmxgiFXD0dAEhZMnA9H493veQEvYkaqzONWwhqXC4gUI80u4lvZt/quExV?= =?us-ascii?Q?tvFR+ZtYD9rmYrTOf/zMTszokqNmiJNPIcsUHdZvnIageX6lSjake8p5eZ5P?= =?us-ascii?Q?smGmYr00q3JzoLf2QVHwRTCZHbyCvTvitBmzTsqIRqrzs3ZW+PwH4nHuXH7r?= =?us-ascii?Q?nxrxiYykrv4xGNeLLAbCsAMurYhBHqm4QTIMObRH9r64at5wUJhCrHMeOvM/?= =?us-ascii?Q?WVqonp25qxxtCtYwL0bvbfCQS8wXz101abYifdarFXpXe5G6JLlK3qbAlAcI?= =?us-ascii?Q?cswRIZNVsnSmHmSK4cWwNONWxxhgz6/hh8mZxpiZqV09/GzCWFum0ID0ydz/?= =?us-ascii?Q?X9TAeGeDBoa/gD7zm+jJTAVRXytfmYk8lopie7TMo7xCaBZe3KGFJE+tZjwd?= =?us-ascii?Q?0wM11ejfFrtPOSK/Dqm3f1dtF1E5ZZsbuTQ6CIYGOWG3nGHly/zeJAvfsNWG?= =?us-ascii?Q?SUxH4P5zM5FIeR0lOqiunhav4SawUdgk2KDw6Qbqqt3oe8nKayQYtflXQjQ3?= =?us-ascii?Q?g93UL8CkNwfw18XKI8uYwELcKtCS+VkRxgepn1vfmvYHwOdkB7Mx2yXXArY1?= =?us-ascii?Q?vCcZMTISvxp0YoeYKvq47wYgLClrhYRC/wkMivRPEUTgFQrwXfIlXK0hyqA4?= =?us-ascii?Q?QXg14/kkGxG8R3Pk3/JlgtfgC7StXuFDVTu+GsRoLtza5ZXAldHqVd4jTvYq?= =?us-ascii?Q?v98qoOfFCmQSbEvlzubFa0Ai3lbVXfbxu9MDAI//dZsAK07tTXa4U9KlTMUE?= =?us-ascii?Q?eYpJrnxch1TVUkfwYBZfNKDvBjH9BFSvA3itkzi/TH0iRIKn2vx3J1efWLfo?= =?us-ascii?Q?HbQ4PbLX2KBwqYmMq9Bu+ABQaXoIoaufd1iBuy8OlEx1A7xIKl4PMucJFx+S?= =?us-ascii?Q?FgpQKOs99a8oBOHw85lojja3YFyrlCBAAZITPRQ86Jjcti+z/Pq2+JAS7nKX?= =?us-ascii?Q?5ClsVSi16WIxAMPTvl355Ct2KnYbKT2MesKHUSEKdd9ptg=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SJ0PR00MB100665A734958F27868A9F6695F09SJ0PR00MB1006namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR00MB1006.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a8324067-28cc-4220-c74b-08d9569193a5
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Aug 2021 15:15:49.5743 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8Iw85DM4Tnc2UHqKwZ4Rc5QhzFDkBm/DjDeFKqXiBLyss2V2eBLmSt9xU9uPhjKsWaTpzHWLEbE5dqbAd+eYZw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR00MB0629
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/AxBV1bkBwsSqrotzk_mpxCR8qzw>
Subject: Re: [Emu] Identities and draft-ietf-emu-tls-eap-types-03
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2021 15:16:42 -0000

An EAP identities only apply to 802.1X, so yes. Supplicants are not designed to be configured by end users. How this data gets configured is irrelevant to the conversation.

tim

From: Alan DeKok <aland@deployingradius.com>
Date: Tuesday, August 3, 2021 at 10:50
To: Tim Cappalli <Tim.Cappalli@microsoft.com>
Cc: emu@ietf.org <emu@ietf.org>
Subject: Re: [Emu] Identities and draft-ietf-emu-tls-eap-types-03
On Aug 3, 2021, at 10:01 AM, Tim Cappalli <Tim.Cappalli@microsoft.com> wrote:
> I fail to understand why this is "a terrible idea". Many organizations, including EDUs have multiple TLDs that are used for sign-in. Cloud IdPs require a fully qualified username.

  Sure.  It's good to see the NAI recommendations of RFC 7542 being more widely adopted.  :)

  My question though is this a use-case for 802.1X?  Are users really capable now of entering one identity for the outer routing, and a completely different one for the inner one?  Or do the users use MDM to do it?

  I haven't seen wide-spread use of different realms in EAP, but maybe I'm not talking to the right people.

> I don't think there should be any text on this topic.

  I think it's useful to give guidance on pros/cons of this issue.  If using different inner/outer realms is a common practice, then it would be good to explain when that's used, and why.

  Alan DeKok.