Re: [radext] CUI comments in "deprecating insecure transports"
Margaret Cullen <mrcullen42@gmail.com> Wed, 26 July 2023 16:47 UTC
Return-Path: <mrcullen42@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC8B6C15109C for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 09:47:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.858
X-Spam-Level:
X-Spam-Status: No, score=-6.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dEFTgmOvOfDY for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 09:47:20 -0700 (PDT)
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79982C151084 for <radext@ietf.org>; Wed, 26 Jul 2023 09:47:20 -0700 (PDT)
Received: by mail-pj1-x1029.google.com with SMTP id 98e67ed59e1d1-26824c32cfbso834717a91.1 for <radext@ietf.org>; Wed, 26 Jul 2023 09:47:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690390039; x=1690994839; h=to:references:message-id:date:cc:in-reply-to:from:subject :mime-version:content-transfer-encoding:from:to:cc:subject:date :message-id:reply-to; bh=P/p3gBS/4y5g7SWLuVTHuNlvuMckpMfsoG/uTWi9HOU=; b=SaQxtDwV/VFDY6iJroi1i5etw91YRH/ajBmMw/RuN9ajvq5Ku0R2i+Zv8yuJNGDZXd /ei5f6JsWvqOI53c9rXXdSqUGc/CdLIcSQXwFcCyTaPIp2iSo6b0+7n25yNpFzguaDS5 PmPJ6y7XtUvVjs3A71B+6y7fi8wNDMCCHVae2Vc9Z6LIe3IdNPLN/PPEB0lLvpL9bB2e LzKnPKvpn0NT6KFRTxoqpIyPNgAtIfhgCZct13FDWl0dzg+b/bRevjXSwFG9jY6OsokB vAbDysXNPk8g6DSLQd86B35cPbWQNnfgZAKv4/721eTDsElOXSW2PKX2A2l+kMdyvTw/ C6Jw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690390039; x=1690994839; h=to:references:message-id:date:cc:in-reply-to:from:subject :mime-version:content-transfer-encoding:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=P/p3gBS/4y5g7SWLuVTHuNlvuMckpMfsoG/uTWi9HOU=; b=Wjjb9FYpjoItQQvUhZiFcwi3lZOVcwYdiLiqBRboIdwC4x0drD4tBwbMlJv03Vs5vw azg7GjezsbtHat4A/FOghhNI+zBshgQHRiPcHZeyaoP19Q+vlIYbWJ5JQueKm+sT/sYy V5Vbz+ovP/mFKI9BM06Y6XUXIehlcgrEUBKRUkR9Bv4ksEVpKpzIEd4GHtr+/IyCXtmm FDK3XoO3LNwY1SkXFOWK3lfL1cbutkV1724tRBNHgwWDsqkhKS4ODUzgPQo7gmKeI3iM IapoHxTHWAPdDCqkQEfBIoV+09/EwDLef8q1kVrNjPnSVoph1LS6VFCHPGGyUMhDDR3k 4MYA==
X-Gm-Message-State: ABy/qLY5Q/KKwnZInddPnXc8Fop1rgiyQwzQLa8DIv4KnWi8F9lmnmKu PyX+Kunj3eHJkAGY4j8uA1whnqpQwKA=
X-Google-Smtp-Source: APBJJlFXYrEl/wS6Q+PI/PV62K71Nl/tS5MlXlC0cxKNIU3PW1FQC8tLZVlNPt3mFP2itRvh9lyVUQ==
X-Received: by 2002:a17:90a:5147:b0:268:1162:ae80 with SMTP id k7-20020a17090a514700b002681162ae80mr42614pjm.19.1690390039286; Wed, 26 Jul 2023 09:47:19 -0700 (PDT)
Received: from smtpclient.apple ([2607:fb90:9fad:d123:9c20:7f4a:e146:be84]) by smtp.gmail.com with ESMTPSA id e14-20020a17090a280e00b00263b4b1255esm1551784pjd.51.2023.07.26.09.47.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 26 Jul 2023 09:47:18 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
From: Margaret Cullen <mrcullen42@gmail.com>
In-Reply-To: <06c301d9bfc0$e07154d0$a153fe70$@gmail.com>
Cc: Alan DeKok <aland@deployingradius.com>, radext@ietf.org
Date: Wed, 26 Jul 2023 09:47:07 -0700
Message-Id: <5390176A-A8D1-40E5-AA3B-9008328650F9@gmail.com>
References: <06c301d9bfc0$e07154d0$a153fe70$@gmail.com>
To: josh.howlett@gmail.com
X-Mailer: iPhone Mail (20F75)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/qrlYs2Qe8NoQ1wzW8-q0MeatZ3M>
Subject: Re: [radext] CUI comments in "deprecating insecure transports"
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 16:47:20 -0000
Hi Josh, > On Jul 26, 2023, at 5:58 AM, josh.howlett@gmail.com wrote: > There are good reasons for the CUI value to be persistent, provided that it > is targeted to each network access provider. In this way, different > providers cannot collude to track users. However, they still maintain the > ability to *recognise* (but not identify) the same user that they saw earlier I understand the value of using a single, unique CUI per user/service provider pair in application-level authentication, because the user may have persistent data or state associated with previous application sessions. The current document text claims that a persistent CUI across sessions is not needed for network access. Do you think there is per-user state that might be maintained by the access provider across sessions, requiring a persistent CUI? If so, we might want to say that the CUI MUST be unique per user/access provider pair, rather than unique per-session. In either case, the IDP can store the user<->CUI mapping for later use, whether it is generated for each access provider or for each session, so that the user can be identified later, if necessary. The important point is that the same CUI MUST not be sent to multiple access providers to identify the same user. Hopefully we all agreed on that. Margaret
- [radext] CUI comments in "deprecating insecure tr… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… josh.howlett
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… Mark Grayson (mgrayson)
- Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… Margaret Cullen
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… josh.howlett
- Re: [radext] CUI comments in "deprecating insecur… Margaret Cullen
- Re: [radext] CUI comments in "deprecating insecur… josh.howlett
- Re: [radext] CUI comments in "deprecating insecur… Arran Cudbard-Bell
- Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
- Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
- Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
- Re: [radext] CUI comments in "deprecating insecur… Arran Cudbard-Bell
- Re: [radext] CUI comments in "deprecating insecur… Arran Cudbard-Bell
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… josh.howlett
- Re: [radext] CUI comments in "deprecating insecur… Heikki Vatiainen
- Re: [radext] CUI comments in "deprecating insecur… Heikki Vatiainen
- Re: [radext] CUI comments in "deprecating insecur… Michael Richardson