IETF Logo Mail Archive

Re: [radext] CUI comments in "deprecating insecure transports"

josh.howlett@gmail.com Wed, 26 July 2023 17:41 UTC

Return-Path: <josh.howlett@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1678C153CA8 for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 10:41:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pf8TyC_FVl0a for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 10:41:24 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B74F6C15199F for <radext@ietf.org>; Wed, 26 Jul 2023 10:41:19 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id 5b1f17b1804b1-3fbc77e76abso60532055e9.1 for <radext@ietf.org>; Wed, 26 Jul 2023 10:41:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690393277; x=1690998077; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=DqIblq+xvUt1b4td9nqP7mH2gkJ02ER6ilEevr9W/Ys=; b=iyVBjeK5kFNrhmmktZZgCGk0/aMCRBUnTb3xEsLTasxIJCRAowUE2wj46IIcmJ8jdF PUXTUqZVbsM7ojOXsD0oCh5JizRtSQP8dkIeHytXYpHn671YnR+s3c+TWBn53QWlAUFZ ovWfoRT1Y4Q5qi13m9PGWCVHTMoX0osKidSFwJoumJONcXhNXqKPjWALzVALPW3SRSXz oONYfPyHHmHuQubWiUwzWd9zuqCcOPfnRBs/xr1O9EPOW2OhnRl7bnmjGkmquBCpVtR3 7a4xmuxCSzef08G5K+TTSrkLRmZ82JrcQhDZrC1LNiT4LCDAxKwry6whAdFPa5SpNmNS 947g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690393277; x=1690998077; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DqIblq+xvUt1b4td9nqP7mH2gkJ02ER6ilEevr9W/Ys=; b=cDMXdF8Gsr1NWGOhrEtG38D3a0xRMmMdWvd/eJdWEKMEjnb9OMiaN/2C8UXGwhLopS FRC2gqNf45FPqtuvpXw885BSxFW9x8S8+4HQi2gS9EnN9EbTztAag2awMuvj4MjQwOsX TEIJR5HmwBgojYWHE/FX3Qo+9NiViZEE/DQtU8tP42vRqeDCPZnIqLucOkh5MDz9/Trl PNtBlAMebjl/b6TO0SFkANB339qWXO5lIVyWIRM3MzSGfjFy2FgC69ZhKnDo5HnERXny g5SmGqHg2/bqXqlWm8co5iKgQyGEfllDiq6ZgVAr8cuRcmPtiEHDxsCHCm+nos6fqdxF WyCg==
X-Gm-Message-State: ABy/qLY2W6GiwssyEeXddN6Lpp1Fv9Wzgp+mwiyw20QdCcj8XbYSMwLR ZHcQjws9HK/9puPCl9vpHzg=
X-Google-Smtp-Source: APBJJlEUluc6ZW3yKrXtF22X5GFArGzPQ0bTzgDIoM/PQlO8f3gxXCt3n/vDkQbJzbCN5hbc8h1IFg==
X-Received: by 2002:a7b:c449:0:b0:3fb:b05d:f27c with SMTP id l9-20020a7bc449000000b003fbb05df27cmr1823603wmi.34.1690393276898; Wed, 26 Jul 2023 10:41:16 -0700 (PDT)
Received: from TABLET7VKS5QAO (host81-142-222-159.in-addr.btopenworld.com. [81.142.222.159]) by smtp.gmail.com with ESMTPSA id z17-20020a5d6411000000b003140f47224csm2442510wru.15.2023.07.26.10.41.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Jul 2023 10:41:16 -0700 (PDT)
From: josh.howlett@gmail.com
To: 'Margaret Cullen' <mrcullen42@gmail.com>
Cc: 'Alan DeKok' <aland@deployingradius.com>, radext@ietf.org
References: <06c301d9bfc0$e07154d0$a153fe70$@gmail.com> <5390176A-A8D1-40E5-AA3B-9008328650F9@gmail.com>
In-Reply-To: <5390176A-A8D1-40E5-AA3B-9008328650F9@gmail.com>
Date: Wed, 26 Jul 2023 18:41:17 +0100
Message-ID: <076501d9bfe8$61d13a00$2573ae00$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQL+Ux625NMMzhX+xKfhhcfeCXYRdgEwY4verXmkAMA=
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/wCRHnCxuusU5KVryPDEEFyHq39g>
Subject: Re: [radext] CUI comments in "deprecating insecure transports"
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 17:41:25 -0000

Hi Margaret,

> > On Jul 26, 2023, at 5:58 AM, josh.howlett@gmail.com wrote:
> > There are good reasons for the CUI value to be persistent, provided
> > that it is targeted to each network access provider. In this way,
> > different providers cannot collude to track users. However, they still
> > maintain the ability to *recognise* (but not identify) the same user
> > that they saw earlier
> 
> I understand the value of using a single, unique CUI per user/service
provider
> pair in application-level authentication, because the user may have
persistent
> data or state associated with previous application sessions.
> 
> The current document text claims that a persistent CUI across sessions  is
not
> needed for network access.  Do you think there is per-user state that
might be
> maintained by the access provider across sessions, requiring a persistent
CUI?

I can't think of a use-case for that at the moment; however, I wouldn't want
to rule it out, if it costs nothing to support.

> If so, we might want to say that the CUI MUST be unique per user/access
> provider pair, rather than unique per-session.
> 
> In either case, the IDP can store the user<->CUI mapping for later use,
whether
> it is generated for each access provider or for each session, so that the
user can
> be identified later, if necessary.

As I wrote previously, I don't think we need to prescribe the semantics of
the CUI value. The desired semantics may vary on a case-by-case basis, and
so should be controlled by configuration and business agreements.

> The important point is that the same CUI MUST not be sent to multiple
access
> providers to identify the same user.  Hopefully we all agreed on that.

I'm not sure I do agree with that :-) because there are lawful and
legitimate reasons for IDPs and access providers to want to do that. If CUI
doesn't meet these needs,  it is trivial to create a VSA that does...

Josh

v2.35.0 | Report a Bug | By Email | System Status