IETF Logo Mail Archive

Re: [radext] Review of draft-winter-radext-populating-eapidentity-01

Alan DeKok <aland@deployingradius.com> Fri, 24 July 2015 11:26 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76B0F1AC3B4 for <radext@ietfa.amsl.com>; Fri, 24 Jul 2015 04:26:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5pjNMyORqeHf for <radext@ietfa.amsl.com>; Fri, 24 Jul 2015 04:26:09 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [195.154.231.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1209F1A9147 for <radext@ietf.org>; Fri, 24 Jul 2015 04:26:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 80A7822404A2; Fri, 24 Jul 2015 13:25:34 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d8ixEBEL4Dhr; Fri, 24 Jul 2015 13:25:26 +0200 (CEST)
Received: from [192.168.2.14] (bas1-ottawa11-1176122299.dsl.bell.ca [70.26.51.187]) by power.freeradius.org (Postfix) with ESMTPSA id 8E98A22401C5; Fri, 24 Jul 2015 13:25:25 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <BLU406-EAS149CFB080AF0F5828BA114D93810@phx.gbl>
Date: Fri, 24 Jul 2015 07:25:33 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <F0DBFB2D-041F-4ED5-9EDB-7A6F013430BC@deployingradius.com>
References: <11856_1427820628_551AD054_11856_4576_1_6B7134B31289DC4FAF731D844122B36EEF6888@PEXCVZYM13.corporate.adroot.infra.ftgroup> <tsllhid84gm.fsf@mit.edu> <BLU181-W6B49664DD504DDAF5CC9F93F40@phx.gbl> <30317_1427824394_551ADF0A_30317_14370_1_6B7134B31289DC4FAF731D844122B36EEF74CD@PEXCVZYM13.corporate.adroot.infra.ftgroup> <BLU181-W86B005505E6468F75180593F40@phx.gbl> <tsl4mp182ku.fsf@mit.edu> <BA6CBD09-148F-4F8C-9B81-8A4A88B64287@deployingradius.com> <BLU406-EAS343D630A63D85F897C0EC8793F40@phx.gbl> <14078_1427880628_551BBAB4_14078_5155_1_6B7134B31289DC4FAF731D844122B36EF0B91F@PEXCVZYM13.corporate.adroot.infra.ftgroup> <190D3355-0BB7-48D5-BEA2-55773E9BD785@deployingradius.com> <24001_1437383629_55ACBBCD_24001_3716_1_6B7134B31289DC4FAF731D844122B36E01CC9ED3@OPEXCLILM43.corporate.adroot.infra.ftgroup> <BLU181-W94C6FC52C2E3CD666F631A93850@phx.gbl> <55AE9EDF.9000105@restena.lu> <BLU406-EAS346AF21C878460C2F9BC0F93840@phx.gbl> <tsl615czgxp.fsf@mit.edu> <DCD31EEF-6AA0-431F-9F6E-0F6348C1D0 C5@deployingradius.com> <BLU406-EAS149CFB080AF0F5828BA114D93810@phx.gbl>
To: Aboba Bernard <bernard_aboba@hotmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/lkdtNh01INYlUnQlVNxDyKJy0zA>
Cc: Sam Hartman <hartmans@painless-security.com>, Winter Stefan <stefan.winter@restena.lu>, "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Review of draft-winter-radext-populating-eapidentity-01
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2015 11:26:11 -0000

On Jul 24, 2015, at 7:20 AM, Bernard Aboba <bernard_aboba@hotmail.com> wrote:

> On Jul 24, 2015, at 12:51, Alan DeKok <aland@deployingradius.com> wrote:
>> 
>> What does it mean when the inner identity is "user@example.com", and the method identity is "CORP/bob"  ?  Who is being authenticated here?
> 
> [BA] It means that the example.com RADIUS server is being asked to authenticate user bob in the CORP domain. In practice, this typically means that CORP is within the example.com Forrest (e.g. Corp.example.com), otherwise the authentication would not succeed. 

  I'm happy to make that assumption, but I'm not sure it's always true.

  On a similar note, what about:

outer: user1@example.org

inner: user2@example.com

  *and* where the example.org server is a proxy, and can proxy to example.com.  Should the .org server de-capsulate the outer session, and send only the inner session to the .com site?

  These problems don't have clear solutions to me.  The simplest response is to forbid cross-domain identities.  That may not be practical, but we know it's safe.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email