IETF Logo Mail Archive

Re: [radext] CUI comments in "deprecating insecure transports"

Margaret Cullen <mrcullen42@gmail.com> Wed, 26 July 2023 18:01 UTC

Return-Path: <mrcullen42@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A50AC14CE3F for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 11:01:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gO0Phj6U-nZU for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 11:01:39 -0700 (PDT)
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE8B6C14CF13 for <radext@ietf.org>; Wed, 26 Jul 2023 11:01:39 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-6687466137bso122035b3a.0 for <radext@ietf.org>; Wed, 26 Jul 2023 11:01:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690394498; x=1690999298; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=1A17pa61VhQr2M6yg4jLGrgXXToRw3gUHcPRECsHmYs=; b=NkcaZN5OxzAk4exvzCtoZyeomEuiX+iv+cKVJEJIglaMPJsn7cLuo+CwVCy1GEKIqg Mge7hL45D+g6L3Z9qMhnjWrlqm9wNbjP26EUY/2gih4lL+mh0EyQsrQFRgOMupJkeiB3 sxU6/t2uGDh/qnY0cHVdrguVws+U+pYVYtcBrQl1OpR1DD6A8TY8aQcvo86ltEweJqp6 VznFOLA+YDmyzDOkmdnyeeRzB4EAk0eOVcX9rW4xBTtu6D/P2qgXEVfifL/RGIvMVewC 7I/Edu0qHYS1kXgwqXOu1G7+uIeIwzD1wmnhk2NDG8xUWHwr0ejRNEDGKxXAE6aSIzrD gGwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690394498; x=1690999298; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1A17pa61VhQr2M6yg4jLGrgXXToRw3gUHcPRECsHmYs=; b=ZyqF3MoR30zXUmE17gfp+HoW0O6LzYWmyMjnSN0mkKgGY0x9B18gCLVDDRjHlnfSWR 6F0uV6U4A3CyndHcxCRqE0AwCMe321uNt4JPX4P+fiqmH4NCg2DFp1DXON9HJrSI58yO 0Aae/JeQjBixTjarjg3QwleTicgZIxwnNMK0RL4aooqIuO23h3Ez4fzTmsRKMZhSv2qw N6nhaWqKjFO4RliGPCTDeTMNIZbwLDyUR6NiU8xXSP6v6buTivz1Z045ivCF3SUchJm6 ZzkPzo0tetjbNKb2WnEVYULggu/A6Z0HbuM7CMCQIn/QXB3lP+WpssDZhIc5T6hLYwez ROzg==
X-Gm-Message-State: ABy/qLY+e08t4YuQeXO26ao5SG0gEpRVozZ1Z4K0TVv9x2Q4nvMCxBXB u+RPkBY336zDufaaCNjZfG2+q3NFsJ0=
X-Google-Smtp-Source: APBJJlHia5YDp1t2GyBOmU+gTnTtlk5MDMqPk1XLa/ZEkk1d3XM7O6okUX2oh+f818d9WpucUpuvrQ==
X-Received: by 2002:a05:6a20:4313:b0:135:26ad:124 with SMTP id h19-20020a056a20431300b0013526ad0124mr2589172pzk.5.1690394497963; Wed, 26 Jul 2023 11:01:37 -0700 (PDT)
Received: from smtpclient.apple ([2607:fb90:9fad:d123:9c20:7f4a:e146:be84]) by smtp.gmail.com with ESMTPSA id f25-20020a633819000000b0055bf13811f5sm12827339pga.15.2023.07.26.11.01.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 26 Jul 2023 11:01:37 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Margaret Cullen <mrcullen42@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 26 Jul 2023 11:01:26 -0700
Message-Id: <2821C902-ED3B-4743-AA4B-E858E530F0FC@gmail.com>
References: <076501d9bfe8$61d13a00$2573ae00$@gmail.com>
Cc: Alan DeKok <aland@deployingradius.com>, radext@ietf.org
In-Reply-To: <076501d9bfe8$61d13a00$2573ae00$@gmail.com>
To: josh.howlett@gmail.com
X-Mailer: iPhone Mail (20F75)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/Sz8tFxfYZDcRG42QjXHMVBno_FU>
Subject: Re: [radext] CUI comments in "deprecating insecure transports"
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 18:01:45 -0000

Hi Josh,
> 
>> The important point is that the same CUI MUST not be sent to multiple
> access
>> providers to identify the same user.  Hopefully we all agreed on that.
> 
> I'm not sure I do agree with that :-) because there are lawful and
> legitimate reasons for IDPs and access providers to want to do that. If CUI
> doesn't meet these needs,  it is trivial to create a VSA that does...

Then perhaps the only thing we have consensus to do in this document is to point out the privacy implications of using the same CUI across multiple access providers and across multiple sessions, and leave it at that?

Or would you agree with something like: “In cases where a persistent CUI is required to meet business or contractual requirements, user privacy can be enhanced by limiting CSI persistence to the scope required to meet those requirements?”

Margaret

v2.35.0 | Report a Bug | By Email | System Status