IETF Logo Mail Archive

Re: [radext] I-D Action: draft-ietf-radext-nai-02.txt

"Jim Schaad" <ietf@augustcellars.com> Mon, 18 March 2013 18:58 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4775521F904B for <radext@ietfa.amsl.com>; Mon, 18 Mar 2013 11:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pV7FphglUwEZ for <radext@ietfa.amsl.com>; Mon, 18 Mar 2013 11:58:08 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 66DEB21F9083 for <radext@ietf.org>; Mon, 18 Mar 2013 11:57:50 -0700 (PDT)
Received: from Philemon (winery.augustcellars.com [206.212.239.129]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 0293F2CA43; Mon, 18 Mar 2013 11:57:45 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Sam Hartman' <hartmans@painless-security.com>
References: <20130128155031.8392.45953.idtracker@ietfa.amsl.com> <5147172F.8090100@restena.lu> <08fd01ce23f5$cf8d0b90$6ea722b0$@augustcellars.com> <tslfvzsvd24.fsf@mit.edu>
In-Reply-To: <tslfvzsvd24.fsf@mit.edu>
Date: Mon, 18 Mar 2013 11:57:12 -0700
Message-ID: <091f01ce240a$6705a860$3510f920$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQL6YW4g7f1S+/CPu7v6J0B2nAJo2gLhVSs4ARX2zroCZPYREpYgbqdA
Content-Language: en-us
Cc: 'Stefan Winter' <stefan.winter@restena.lu>, radext@ietf.org
Subject: Re: [radext] I-D Action: draft-ietf-radext-nai-02.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2013 18:58:17 -0000

Sam,

In the descriptive text that Stefan provided, he said that the AAA client
was configured with the fact that the names were the same.  Thus there is no
reason for it not to do the mapping on that information rather than
normalization.

If we are talking about delaying the normalization, then we are looking at
what the AAA client as oppose to the AAA server is looking for in the
un-normalized name.   AAA proxies are always going to want to see the
normalized version of the name.  

There may be other issues in non-AAA systems, but again we are looking at
three different entities, the initial client, any proxies in the middle and
the final destination server.  We are imposing work on the middle proxies in
order to get something that is not necessarily a strong benefit for the
final server.

Jim


> -----Original Message-----
> From: Sam Hartman [mailto:hartmans@painless-security.com]
> Sent: Monday, March 18, 2013 10:22 AM
> To: Jim Schaad
> Cc: 'Stefan Winter'; radext@ietf.org
> Subject: Re: [radext] I-D Action: draft-ietf-radext-nai-02.txt
> 
> >>>>> "Jim" == Jim Schaad <ietf@augustcellars.com> writes:
> 
>     Jim> I would not support this change.  I would suggest that in this
>     Jim> case that the AAA client should be the one that does the
>     Jim> required normalization or mapping into the normal form as part
>     Jim> of its "I know where this is supposed to be going" work.
> 
>     Jim> I don't see any reason to impose this onto the middle proxies
>     Jim> rather than the injecting system.
> 
> We have a lot of experience in the i18n space that suggests you're much
> better off normalizing as late as possible.  When you normalize at
injection
> you can lose information and collapse things together that a later party
may
> wish you had not.  The person using the information is in a much better
> position to know what options they need to distinguish between and thus is
in
> a better position to know what normalization is appropriate.
> 
> The major exceptions to this rule are when you're forced to normalize
before
> hashing/encrypting or when you have a legacy system like the DNS.
> 
> --Sam

v2.46.0 | Report a Bug | By Email | System Status