Re: [radext] WGLC #1 for draft-ietf-radext-nai-03
Sam Hartman <hartmans@painless-security.com> Thu, 20 June 2013 09:54 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5464111E8116 for <radext@ietfa.amsl.com>; Thu, 20 Jun 2013 02:54:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BY2qJAC8IF1q for <radext@ietfa.amsl.com>; Thu, 20 Jun 2013 02:53:56 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 739FB11E8112 for <radext@ietf.org>; Thu, 20 Jun 2013 02:53:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 3105A20127; Thu, 20 Jun 2013 05:49:57 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Mvm_DH4Iftt; Thu, 20 Jun 2013 05:49:55 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Thu, 20 Jun 2013 05:49:55 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id AFECF807E8; Thu, 20 Jun 2013 05:53:36 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Alan DeKok <aland@deployingradius.com>
References: <7104B68E-C97B-4847-B0BF-8590ED1810D7@gmail.com> <A1E4691F-0EB3-41ED-8771-67CF4AED4FCA@gmail.com> <51C1BA01.7060106@deployingradius.com> <BLU169-W63408B8B132AA00E972F75938D0@phx.gbl> <51C1CFC5.5090209@deployingradius.com> <51C25283.8030007@deployingradius.com>
Date: Thu, 20 Jun 2013 05:53:36 -0400
In-Reply-To: <51C25283.8030007@deployingradius.com> (Alan DeKok's message of "Wed, 19 Jun 2013 20:53:23 -0400")
Message-ID: <tslehbxt8f3.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] WGLC #1 for draft-ietf-radext-nai-03
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2013 09:54:02 -0000
>>>>> "Alan" == Alan DeKok <aland@deployingradius.com> writes: Alan> Bernard and I had a long talk today about the NAI document. Alan> There are some clear points, but there is still one point Alan> which is unclear. Alan> It's not clear if the process of normalizing a realm name is Alan> independent of Unicode version. If it is, then proxies can Alan> happily normalize what they get, and we don't care what Alan> endpoints produce. Alan> If it's dependent on Unicode version, then the only system Alan> capable of normalizing the NAI is the endpoint which produces Alan> it. And they don't normalize NAIs now. I think this thinking is bogus. We're trying to create interoperability. If we improve the fraction of the time things work, we've made forward progress even if there are corner cases where it doesn't work. Endpoints MUST (BUT WE KNOW yOU WON't) normalize because there are some cases where it's unicode version dependent and a proxy with an older version has no hope of succeeding. However, in practice, proxies can do a lot, and so they should. First, the proxy may not have things stored in Unicode. Or it may have its routing tables stored in a database that has its own approach to I18N (say LDAP or some SQL database). In practice, people will sometimes let that database do the normalization, and if it increases the chance that you'll route to the realm then you should encourage that. It seems bogus to me to assume you need a perfect solution, to assume normalization can happen in one place or to ignore the long picture as we migrate things 10-15 years from now. --Sam
- [radext] WGLC #1 for draft-ietf-radext-nai-03 Jouni Korhonen
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Jouni Korhonen
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Alan DeKok
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Bernard Aboba
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Alan DeKok
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Alan DeKok
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Sam Hartman
- Re: [radext] WGLC #1 for draft-ietf-radext-nai-03 Bernard Aboba