[radext] draft-ietf-radext-nai-08 AD review
Benoit Claise <bclaise@cisco.com> Tue, 28 October 2014 22:51 UTC
Return-Path: <bclaise@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D35A1A03E3 for <radext@ietfa.amsl.com>; Tue, 28 Oct 2014 15:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tHMBLoZCw_ZO for <radext@ietfa.amsl.com>; Tue, 28 Oct 2014 15:51:39 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFD3F1A00D7 for <radext@ietf.org>; Tue, 28 Oct 2014 15:51:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8742; q=dns/txt; s=iport; t=1414536699; x=1415746299; h=message-id:date:from:mime-version:to:subject; bh=EQbldYozwyZQ+0rS2g4HDKPPo/FCGU00a9UM+1tyuTk=; b=mT9zs1CUCuIr/gb6c85RMRkWfK9DxLFi5jnRT0mdwc7F8gcKRgOmfSEH n91NG9Fl6if8PWQ8ZsmxRB5QqjZcBTFFldlmqy2pWZRP0NqVZe23Jrcum m9FWtXTc/b+bP4mbyZUmIEdi90c9PLKF4X9m16p3yrhJuBpLPeXnINHTS 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AukEADUdUFStJssW/2dsb2JhbABcg2JYAYhgw3aBcIkCAQEBAQF9hQE9FhgDAgECAUsBDAgBARCILQ3FZQEBAQEGAQEBAQEdkESFFwWWVYJDhFCBbYYBjkiDeTwvAYJKAQEB
X-IronPort-AV: E=Sophos;i="5.04,805,1406592000"; d="scan'208,217";a="228878737"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP; 28 Oct 2014 22:51:37 +0000
Received: from [10.60.67.85] (ams-bclaise-8914.cisco.com [10.60.67.85]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s9SMpaqE013834; Tue, 28 Oct 2014 22:51:36 GMT
Message-ID: <54501DF8.3070802@cisco.com>
Date: Tue, 28 Oct 2014 23:51:36 +0100
From: Benoit Claise <bclaise@cisco.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0
MIME-Version: 1.0
To: draft-ietf-radext-nai@tools.ietf.org, "radext@ietf.org" <radext@ietf.org>
Content-Type: multipart/alternative; boundary="------------000808020402010900090000"
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/7fE7ecd6dHB_iNgi9Rot3mvL6Gw
Subject: [radext] draft-ietf-radext-nai-08 AD review
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 22:51:42 -0000
Dear all, Here is my draft-ietf-radext-nai-08 AD review _Technical:_ - AAA systems MUST therefore be able to handle user identifiers which are not in the NAI format. ... Systems MAY accept user identifiers in forms other than the NAI. These are contradictory. I believe that: - those two sentences (or paragraphs) should be next to each others. - the second sentence should stress "Non AAA systems" _Systems_MAY accept user identifiers in forms other than the NAI. This specification does not forbid that practice. It only codifies the format and interpretation of the NAI. We cannot expect to change existing protocols or practices. We can, however, suggest that using a consistent form for a user identifier is of a benefit to the community. Where protocols carry identifiers which are expected to be transported over an AAA protocol, it is RECOMMENDED that the identifiers be in NAI format. Where the identifiers are not in the NAI format, it is up to the_AAA systems_ to discover this, and to process them. This document does not suggest how that is done. However, existing practice indicates that it is possible. Be consistent between systems, non-AAA systems, and AAA systems Editorial: - when you produce a new draft version, don't forget http://tools.ietf.org/wg/radext/trac/ticket/176 - Considerable interest exists for a set of features that fit within the general category of inter-domain authentiction authentication - Normalization Canonicalization These terms are defined in[RFC6365] Section 4 <http://tools.ietf.org/html/rfc6365#section-4>. We incorporate the definitions here by reference. Isn't "Normalization or Canonicalization" - Like mentioned in the last bullet point below, all links should point to the RFC4282 sections, not to draft-ietf-radext-nai-08 sections. * The requirement inSection 2.1 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.1> that realms are ASCII conflicts with the Extensible Authentication Protocol (EAP) and RADIUS, which are both 8-bit clean, and which both recommend the use of UTF-8 for identitifiers. *Section 2.4 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.4> required mappings that are language-specific, and which are nearly impossible for intermediate nodes to perform correctly without information about that language. *Section 2.4 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.4> requires normalization of user names, which may conflict with local system or administrative requirements. * The recommendations inSection 2.4 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.4> for treatment of bidirectional characters have proven to be unworkable. * The prohibition against use of unassigned code points in Section 2.4 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.4> effectively prohibits support for new scripts. * No Authentication, Authorization, and Accounting (AAA) client, proxy, or server has implemented any of the requirements in[RFC4282] Section 2.4 <http://tools.ietf.org/html/rfc4282#section-2.4>, among other sections. - 5 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-5>. Administration of Names In order to avoid creating any new administrative procedures, administration of the NAI realm namespace piggybacks on the administration of the DNS namespace. There is a tag issue above. The section tag contains the first line of section 5. Regards, Benoit
- [radext] draft-ietf-radext-nai-08 AD review Benoit Claise
- Re: [radext] draft-ietf-radext-nai-08 AD review Benoit Claise
- Re: [radext] draft-ietf-radext-nai-08 AD review Alan DeKok
- Re: [radext] draft-ietf-radext-nai-08 AD review Benoit Claise
- Re: [radext] draft-ietf-radext-nai-08 AD review Alan DeKok
- Re: [radext] draft-ietf-radext-nai-08 AD review Stefan Winter