[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Isssue on CUI-03

Issue with CUI-03 in the definition of CUI content.

 

Submitter name: David B. Nelson

Submitter email address: dnelson@enterasys.com

Date first submitted: 08 March 2005

Reference:

Document: CUI-03

Comment type: T

Priority: S

Section: 1.0, 2.2

Rationale/Explanation of issue: (see below)

Requested change:

 

In Section 1 Introduction: 

 

  “While this

   mechanism is good practice in some circumstances, there are problems

   if local and intermediate networks require a user identity.”

 

No entity other than the home AAA can derive a true user identity from the CUI, so I would recommend that “require a user identity” (above) be changed to “require an authenticated surrogate identity to bind the current session”.

 

In Section 2.2 CUI Attribute:

 

  “String:

 

      The string identifies the CUI of the end-user and is of type

      UTF8String.  This string value is a reference to a particular

      user.  The format and the interpretation of the string value , and

      the binding lifetime of the reference to the user is determined

      based on business agreements.  For example, the lifetime can be

      set to one billing period.  In cases where the attribute is used

      to indicate the NAS support for the CUI, the string value contains

      a nul character.”

 

In discussions on the WG mailing list or in other e-mail threads on this draft, I believe we had reached agreement that the content of the CUI attribute would be described as an “opaque token”, or as an authenticated surrogate identity, but that only the Home AAA server was in a position to make any other semantic interpretation of the CUI content and that all other entities, e.g. proxy servers or NASes, should treat the CUI as a “cookie”, performing a binary-equality-test operation on two CUI instances, but making no other interpretation of the CUI content.  That restriction didn’t make in into the -03 draft.

 

I would recommend that “The format and the interpretation of the string value, and the binding lifetime of the reference to the user is determined based on business agreements.” (above) be changed to “The format and content of the string value is determined by the Home RADIUS server.  The binding lifetime of the reference to the user is determined based on business agreements.  RADIUS entities other than the Home RADIUS server MUST treat the CUI content as an opaque token, and SHOULD NOT perform operations on its content other than a binary equality comparison test, between two instances of CUI.”