[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue: Treatment of null Identity Response



Bernard Aboba wrote:

RFC 4282 allows use of a userid without a realm ("fred"). It also allows use of a realm without a userid ("@example.com"). So as far as I can tell, an NAI without either a userid or realm is allowed as well.

I think not -- here's the ABNF:

  nai         =  username
  nai         =/ "@" realm
  nai         =/ username "@" realm

which seems to imply that its either username, realm, or both. And neither
the "username" or "realm" can be an empty string.

One interpretation is that it represents the anonymous NAI of the local realm, and so is equivalent to "@localrealm". Since RFC 4282 discourages use of pseudonyms such as "anonymous" it is not clear what the preferred representation is for "the anonymous user of the local realm". Under this line of thought, the null userid might not only be legal, it might actually be the *preferred* representation!

Anyway, even if such a NAI would be legal, I think we should discourage it
at the client side for obvious roaming problems -- of course the NAS side could
still use that.

But if I can read (or write) ABNF, then its not a legal NAI...

--Jari


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>