Re: [radext] draft-ietf-radext-nai-08 AD review
Alan DeKok <aland@deployingradius.com> Wed, 29 October 2014 20:28 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD0C01A88C8 for <radext@ietfa.amsl.com>; Wed, 29 Oct 2014 13:28:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nn10RXJRfpgg for <radext@ietfa.amsl.com>; Wed, 29 Oct 2014 13:28:17 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [195.154.231.44]) by ietfa.amsl.com (Postfix) with ESMTP id C55DB1A0154 for <radext@ietf.org>; Wed, 29 Oct 2014 13:28:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 1292D2240404; Wed, 29 Oct 2014 21:28:16 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6fQAKENsrahw; Wed, 29 Oct 2014 21:28:15 +0100 (CET)
Received: from Thor.local (206-248-157-156.dsl.teksavvy.com [206.248.157.156]) by power.freeradius.org (Postfix) with ESMTPSA id D83D8224021D; Wed, 29 Oct 2014 21:28:14 +0100 (CET)
Message-ID: <54514DDD.8090401@deployingradius.com>
Date: Wed, 29 Oct 2014 16:28:13 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Benoit Claise <bclaise@cisco.com>
References: <54501DF8.3070802@cisco.com> <54514876.9010105@cisco.com>
In-Reply-To: <54514876.9010105@cisco.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/SlV6b4BkiYl6Oom_g5PcgGsuYtg
Cc: "radext@ietf.org" <radext@ietf.org>, draft-ietf-radext-nai@tools.ietf.org
Subject: Re: [radext] draft-ietf-radext-nai-08 AD review
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 20:28:19 -0000
Benoit Claise wrote: > > Alan, > > Thanks for the version 9. > The technical comment has been taken care of. Thanks. > It's however a missed opportunity not to have taken into account the > editorial comments below. I thought I had done that... - "systems" qualified to non-AAA, AAA, and edge - re-work the contradictory sentences - etc. > Regards, Benoit >> Dear all, >> >> Here is my draft-ietf-radext-nai-08 AD review >> >> _Technical:_ >> - >> AAA systems MUST therefore be >> able to handle user identifiers which are not in the NAI format. >> ... >> >> Systems MAY accept user identifiers in forms other than the NAI. >> These are contradictory. >> I believe that: >> - those two sentences (or paragraphs) should be next to each others. >> - the second sentence should stress "Non AAA systems" >> >> _Systems _MAY accept user identifiers in forms other than the NAI. >> This specification does not forbid that practice. It only codifies >> the format and interpretation of the NAI. We cannot expect to change >> existing protocols or practices. We can, however, suggest that using >> a consistent form for a user identifier is of a benefit to the >> community. >> >> Where protocols carry identifiers which are expected to be >> transported over an AAA protocol, it is RECOMMENDED that the >> identifiers be in NAI format. Where the identifiers are not in the >> NAI format, it is up to the _AAA systems_ to discover this, and to >> process them. This document does not suggest how that is done. >> However, existing practice indicates that it is possible. >> Be consistent between systems, non-AAA systems, and AAA systems >> >> Editorial: >> >> - >> when you produce a new draft version, don't forget >> http://tools.ietf.org/wg/radext/trac/ticket/176 >> >> - >> Considerable interest exists for a set of features that fit within >> the general category of inter-domain authentiction >> >> authentication >> >> - >> Normalization Canonicalization >> >> These terms are defined in [RFC6365] Section 4 <http://tools.ietf.org/html/rfc6365#section-4>. We incorporate >> the definitions here by reference. >> Isn't "Normalization or Canonicalization" >> >> - Like mentioned in the last bullet point below, all links should >> point to the RFC4282 sections, not to draft-ietf-radext-nai-08 sections. >> * The requirement in Section 2.1 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.1> that realms are ASCII conflicts >> with the Extensible Authentication Protocol (EAP) and RADIUS, >> which are both 8-bit clean, and which both recommend the use of >> UTF-8 for identitifiers. >> >> * Section 2.4 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.4> required mappings that are language-specific, >> and which are nearly impossible for intermediate nodes to perform >> correctly without information about that language. >> >> * Section 2.4 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.4> requires normalization of user names, which >> may conflict with local system or administrative requirements. >> >> * The recommendations in Section 2.4 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.4> for treatment of >> bidirectional characters have proven to be unworkable. >> >> * The prohibition against use of unassigned code points in >> Section 2.4 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.4> effectively prohibits support for new scripts. >> >> * No Authentication, Authorization, and Accounting (AAA) >> client, proxy, or server has implemented any of the requirements >> in [RFC4282] Section 2.4 <http://tools.ietf.org/html/rfc4282#section-2.4>, among other sections. >> >> >> - >> >> >> 5 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-5>. >> Administration of Names >> >> >> In order to avoid creating any new administrative procedures, >> >> >> administration of the NAI realm namespace piggybacks on the >> administration of the DNS namespace. >> >> There is a tag issue above. The section tag contains the first line of section 5. >> >> Regards, Benoit >> >> >> _______________________________________________ >> radext mailing list >> radext@ietf.org >> https://www.ietf.org/mailman/listinfo/radext >
- [radext] draft-ietf-radext-nai-08 AD review Benoit Claise
- Re: [radext] draft-ietf-radext-nai-08 AD review Benoit Claise
- Re: [radext] draft-ietf-radext-nai-08 AD review Alan DeKok
- Re: [radext] draft-ietf-radext-nai-08 AD review Benoit Claise
- Re: [radext] draft-ietf-radext-nai-08 AD review Alan DeKok
- Re: [radext] draft-ietf-radext-nai-08 AD review Stefan Winter