Re: [radext] WGLC #1 for draft-ietf-radext-nai-03
Alan DeKok <aland@deployingradius.com> Wed, 19 June 2013 14:03 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 231CD21F9C0F for <radext@ietfa.amsl.com>; Wed, 19 Jun 2013 07:03:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PdrrEYhS9bgm for <radext@ietfa.amsl.com>; Wed, 19 Jun 2013 07:03:34 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2761521F9CC2 for <radext@ietf.org>; Wed, 19 Jun 2013 07:03:34 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 6B06E224007C; Wed, 19 Jun 2013 16:02:40 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TsAQZKeRgCHs; Wed, 19 Jun 2013 16:02:39 +0200 (CEST)
Received: from Thor-2.local (bas1-ottawa11-1176120556.dsl.bell.ca [70.26.44.236]) by power.freeradius.org (Postfix) with ESMTPSA id 3467D2240054; Wed, 19 Jun 2013 16:02:39 +0200 (CEST)
Message-ID: <51C1BA01.7060106@deployingradius.com>
Date: Wed, 19 Jun 2013 10:02:41 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Jouni Korhonen <jouni.nospam@gmail.com>
References: <7104B68E-C97B-4847-B0BF-8590ED1810D7@gmail.com> <A1E4691F-0EB3-41ED-8771-67CF4AED4FCA@gmail.com>
In-Reply-To: <A1E4691F-0EB3-41ED-8771-67CF4AED4FCA@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "radext@ietf.org" <radext@ietf.org>, "radext-chairs@tools.ietf.org" <radext-chairs@tools.ietf.org>
Subject: Re: [radext] WGLC #1 for draft-ietf-radext-nai-03
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2013 14:03:41 -0000
Jouni Korhonen wrote: > The WGLC#1 has ended. There are now five open tickets in the issue tracker > (#162, #145, #146, #164 and #167). I encourage the I-D author(s) and the WG > to sort out the remaining tickets as soon as possible. I should have an updated draft on Friday. Who does normalization is a big issue. I think it should be done at the edge, for a number of reasons. For one, it follows the general Internet philosophy of having smart edges and a dumb core. For another, it's really the only workable approach. Let's look at an example. Proxy P has been deployed, and is running quite happily for years. End user device E wants to get network access. The user just bought it, and it's fully of shiny new unicode goodness. Including code points which are unknown to proxy P. The end point account "belongs" to home server H. It may, or may not, have the same unicode information as the endpoint E. It may, or may not, have the same unicode information as proxy P. It has been suggested that the proxy P do normalization. Partly because end points don't do it now, and because there are fewer proxies than end points. However, according to the scenario above (which WILL happen), proxy P has insufficient information to normalize the realm used by E. So the *only* thing that P can do is to treat it as an opaque string. However, home server H has supplied P with a "canonical" version of the realm, as canonicalized by H. This realm is sadly not the same byte string as supplied by E. Therefore, E can't authenticate. H has to either supply P with *all* possible versions of it's realm, or has to give up, and not use i18n at all. All this comes about because E is pretty much guaranteed to be newer than P or H. It is therefore the *only* entity in the network who is capable of normalizing the realm. No one else has the correct information. See this page for a recent example of how normalization issues can cause security holes: http://labs.spotify.com/2013/06/18/creative-usernames/ My $0.02 is the following: - proxies should try to normalize realms, knowing that many endpoints won't do that. If the realm can't be normalized, treat it as an opaque byte string. - end points MUST normalize realms. Yes, they don't do this now. Too bad. We've been riding the ASCII wave for 50 years, and it's about to crash hard on the shoals of i18n. I'd like counter-examples showing that end points shouldn't do normalization. Alan DeKok.
- [radext] WGLC #1 for draft-ietf-radext-nai-03 Jouni Korhonen
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Jouni Korhonen
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Alan DeKok
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Bernard Aboba
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Alan DeKok
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Alan DeKok
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Sam Hartman
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Bernard Aboba