IETF Logo Mail Archive

Re: [radext] Review of draft-winter-radext-populating-eapidentity-01

Sam Hartman <hartmans@painless-security.com> Mon, 20 July 2015 12:39 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05E961A8716 for <radext@ietfa.amsl.com>; Mon, 20 Jul 2015 05:39:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzmG0Dv1Vo9U for <radext@ietfa.amsl.com>; Mon, 20 Jul 2015 05:39:02 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C70B61A872D for <radext@ietf.org>; Mon, 20 Jul 2015 05:38:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 90C1320752; Mon, 20 Jul 2015 08:38:33 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AE_U2R94byGu; Mon, 20 Jul 2015 08:38:33 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (dhcp-8970.meeting.ietf.org [31.133.137.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Mon, 20 Jul 2015 08:38:32 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id E3B2488672; Mon, 20 Jul 2015 08:38:50 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Bernard Aboba <bernard_aboba@hotmail.com>
References: <11856_1427820628_551AD054_11856_4576_1_6B7134B31289DC4FAF731D844122B36EEF6888@PEXCVZYM13.corporate.adroot.infra.ftgroup> <tsllhid84gm.fsf@mit.edu> <BLU181-W6B49664DD504DDAF5CC9F93F40@phx.gbl> <30317_1427824394_551ADF0A_30317_14370_1_6B7134B31289DC4FAF731D844122B36EEF74CD@PEXCVZYM13.corporate.adroot.infra.ftgroup> <BLU181-W86B005505E6468F75180593F40@phx.gbl> <tsl4mp182ku.fsf@mit.edu> <BA6CBD09-148F-4F8C-9B81-8A4A88B64287@deployingradius.com> <BLU406-EAS343D630A63D85F897C0EC8793F40@phx.gbl> <14078_1427880628_551BBAB4_14078_5155_1_6B7134B31289DC4FAF731D844122B36EF0B91F@PEXCVZYM13.corporate.adroot.infra.ftgroup> <190D3355-0BB7-48D5-BEA2-55773E9BD785@deployingradius.com> <24001_1437383629_55ACBBCD_24001_3716_1_6B7134B31289DC4FAF731D844122B36E01CC9ED3@OPEXCLILM43.corporate.adroot.infra.ftgroup> <BLU181-W94C6FC52C2E3CD666F631A93850@phx.gbl> <tslzj2r5aoj.fsf@mit.edu> <BLU406-EAS122D6B206E6EADC5A67F61193850@phx.gbl>
Date: Mon, 20 Jul 2015 08:38:50 -0400
In-Reply-To: <BLU406-EAS122D6B206E6EADC5A67F61193850@phx.gbl> (Bernard Aboba's message of "Mon, 20 Jul 2015 14:33:58 +0200")
Message-ID: <tslwpxv3sx1.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/PrsnscplPjLzVKCyeA2piapfk1Y>
Cc: radext@ietf.org
Subject: Re: [radext] Review of draft-winter-radext-populating-eapidentity-01
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:39:05 -0000

>>>>> "Bernard" == Bernard Aboba <bernard_aboba@hotmail.com> writes:

    Bernard> On Jul 20, 2015, at 13:29, Sam Hartman <hartmans@painless-security.com> wrote:
    >> Other implementations request both identities from the user.
    >> However, I don't know anything that tries to map back from a
    >> method identity to an eap response.

    Bernard> [BA] Neither do I - it's a bad idea.  That's why Section
    Bernard> 4's advice seems so strange:

    Bernard>     If an EAP authentication gets rejected, the EAP peer
    Bernard> SHOULD re-try the authentication using a different
    Bernard> EAP-Response/Identity than before.  The EAP peer SHOULD try
    Bernard> all user identifiers from the entire set of configured EAP
    Bernard> types before declaring final authentication failure.

    Bernard> [BA] "all user identities" appears to imply using
    Bernard> method-specific identities to construct the
    Bernard> EAP-Response/Identity.

Ah, that's not how I read it at all.
I read that as saying that you try all the identities you have.
If you're an implementation that stores outer identities separately from
inner identities, then try all your outer identities.
If you're an implementation that maps both from a common principal, do
that for all your principals.


    Bernard>    EAP peers need to maintain state on the encoding of the
    Bernard> user identifiers which are used in their locally configured
    Bernard> EAP types.  When constructing an EAP-Response/Identity from
    Bernard> that user identifier,

    Bernard> [BA] Again, this seems to imply using method-specific
    Bernard> identities to construct the EAP-Response/Identity.

I see what you're saying now.
I think what the text is trying to talk about there is constructing both
from some common principal/idea about an account.  However it could be
read as constructing one from another.
And also, it doesn't deal as well with the case where they are separate.

v2.23.0 | Report a Bug | By Email