Re: [radext] Review of draft-winter-radext-populating-eapidentity-01
Sam Hartman <hartmans@painless-security.com> Mon, 20 July 2015 12:39 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05E961A8716 for <radext@ietfa.amsl.com>; Mon, 20 Jul 2015 05:39:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzmG0Dv1Vo9U for <radext@ietfa.amsl.com>; Mon, 20 Jul 2015 05:39:02 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C70B61A872D for <radext@ietf.org>; Mon, 20 Jul 2015 05:38:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 90C1320752; Mon, 20 Jul 2015 08:38:33 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AE_U2R94byGu; Mon, 20 Jul 2015 08:38:33 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (dhcp-8970.meeting.ietf.org [31.133.137.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Mon, 20 Jul 2015 08:38:32 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id E3B2488672; Mon, 20 Jul 2015 08:38:50 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Bernard Aboba <bernard_aboba@hotmail.com>
References: <11856_1427820628_551AD054_11856_4576_1_6B7134B31289DC4FAF731D844122B36EEF6888@PEXCVZYM13.corporate.adroot.infra.ftgroup> <tsllhid84gm.fsf@mit.edu> <BLU181-W6B49664DD504DDAF5CC9F93F40@phx.gbl> <30317_1427824394_551ADF0A_30317_14370_1_6B7134B31289DC4FAF731D844122B36EEF74CD@PEXCVZYM13.corporate.adroot.infra.ftgroup> <BLU181-W86B005505E6468F75180593F40@phx.gbl> <tsl4mp182ku.fsf@mit.edu> <BA6CBD09-148F-4F8C-9B81-8A4A88B64287@deployingradius.com> <BLU406-EAS343D630A63D85F897C0EC8793F40@phx.gbl> <14078_1427880628_551BBAB4_14078_5155_1_6B7134B31289DC4FAF731D844122B36EF0B91F@PEXCVZYM13.corporate.adroot.infra.ftgroup> <190D3355-0BB7-48D5-BEA2-55773E9BD785@deployingradius.com> <24001_1437383629_55ACBBCD_24001_3716_1_6B7134B31289DC4FAF731D844122B36E01CC9ED3@OPEXCLILM43.corporate.adroot.infra.ftgroup> <BLU181-W94C6FC52C2E3CD666F631A93850@phx.gbl> <tslzj2r5aoj.fsf@mit.edu> <BLU406-EAS122D6B206E6EADC5A67F61193850@phx.gbl>
Date: Mon, 20 Jul 2015 08:38:50 -0400
In-Reply-To: <BLU406-EAS122D6B206E6EADC5A67F61193850@phx.gbl> (Bernard Aboba's message of "Mon, 20 Jul 2015 14:33:58 +0200")
Message-ID: <tslwpxv3sx1.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/PrsnscplPjLzVKCyeA2piapfk1Y>
Cc: radext@ietf.org
Subject: Re: [radext] Review of draft-winter-radext-populating-eapidentity-01
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:39:05 -0000
>>>>> "Bernard" == Bernard Aboba <bernard_aboba@hotmail.com> writes: Bernard> On Jul 20, 2015, at 13:29, Sam Hartman <hartmans@painless-security.com> wrote: >> Other implementations request both identities from the user. >> However, I don't know anything that tries to map back from a >> method identity to an eap response. Bernard> [BA] Neither do I - it's a bad idea. That's why Section Bernard> 4's advice seems so strange: Bernard> If an EAP authentication gets rejected, the EAP peer Bernard> SHOULD re-try the authentication using a different Bernard> EAP-Response/Identity than before. The EAP peer SHOULD try Bernard> all user identifiers from the entire set of configured EAP Bernard> types before declaring final authentication failure. Bernard> [BA] "all user identities" appears to imply using Bernard> method-specific identities to construct the Bernard> EAP-Response/Identity. Ah, that's not how I read it at all. I read that as saying that you try all the identities you have. If you're an implementation that stores outer identities separately from inner identities, then try all your outer identities. If you're an implementation that maps both from a common principal, do that for all your principals. Bernard> EAP peers need to maintain state on the encoding of the Bernard> user identifiers which are used in their locally configured Bernard> EAP types. When constructing an EAP-Response/Identity from Bernard> that user identifier, Bernard> [BA] Again, this seems to imply using method-specific Bernard> identities to construct the EAP-Response/Identity. I see what you're saying now. I think what the text is trying to talk about there is constructing both from some common principal/idea about an account. However it could be read as constructing one from another. And also, it doesn't deal as well with the case where they are separate.
- [radext] Start of Call for Adoption for draft-win… lionel.morand
- Re: [radext] Start of Call for Adoption for draft… Sam Hartman
- Re: [radext] Start of Call for Adoption for draft… Bernard Aboba
- Re: [radext] Start of Call for Adoption for draft… Sam Hartman
- Re: [radext] Start of Call for Adoption for draft… Alan DeKok
- Re: [radext] Start of Call for Adoption for draft… lionel.morand
- Re: [radext] Start of Call for Adoption for draft… Bernard Aboba
- Re: [radext] Start of Call for Adoption for draft… Sam Hartman
- Re: [radext] Start of Call for Adoption for draft… Alan DeKok
- Re: [radext] Start of Call for Adoption for draft… Bernard Aboba
- Re: [radext] Start of Call for Adoption for draft… lionel.morand
- Re: [radext] Start of Call for Adoption for draft… Alan DeKok
- Re: [radext] Start of Call for Adoption for draft… lionel.morand
- [radext] Review of draft-winter-radext-populating… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Sam Hartman
- Re: [radext] Review of draft-winter-radext-popula… lionel.morand
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Sam Hartman
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Sam Hartman
- Re: [radext] Review of draft-winter-radext-popula… lionel.morand
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Stefan Winter
- Re: [radext] Review of draft-winter-radext-popula… Stefan Winter
- Re: [radext] Review of draft-winter-radext-popula… Stefan Winter
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Sam Hartman
- Re: [radext] Review of draft-winter-radext-popula… Alan DeKok
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Alan DeKok