Re: [Emu] Identities and draft-ietf-emu-tls-eap-types-03

Alan DeKok <> Tue, 03 August 2021 12:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 97D3E3A2154 for <>; Tue, 3 Aug 2021 05:20:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PjfPaM3fexZo for <>; Tue, 3 Aug 2021 05:20:04 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A1BCC3A2155 for <>; Tue, 3 Aug 2021 05:20:04 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id 649D8216; Tue, 3 Aug 2021 12:20:02 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
From: Alan DeKok <>
In-Reply-To: <>
Date: Tue, 3 Aug 2021 08:20:00 -0400
Cc: "" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Tim Cappalli <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [Emu] Identities and draft-ietf-emu-tls-eap-types-03
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Aug 2021 12:20:08 -0000

On Aug 2, 2021, at 4:32 PM, Tim Cappalli <> wrote:
> >> However, if the outer realm is "".com", then the inner realm cannot be "".org".
> I disagree with this requirement. Many organizations have multiple domains used for fully qualified usernames but for routing simplicity, may want to use the org's primary domain for routing.
> It should be perfectly valid to configure an outer realm of but have inner identities with other domains (ex:,, etc)

  Does this happen a lot?  I must admit I've rarely seen anything like this.

  On top of that, enterprise routing is much rarer than in educational systems like Eduroam.  While enterprise "roaming providers" exist, they're typically not doing 802.1X.  So there's only one identity for them. 

  OpenRoaming is new, and enterprise, and 802.1X.  But it's not widely used, and the identities are typically automatically provisioned.  i.e. to your phone, via the telephone provider.  And there's no "legacy" issues, so the outer identity is for routing, and the inner identity is controlled and provisioned by the provider.

  So I can't think of many good reasons to have different outer/inner realms.  The use-cases are small, and rare.

  I'm OK with not forbidding it.  But I think there needs to be strong language saying "this is a terrible idea, and you really need to think hard before doing anything like this".

  Alan DeKok.