eap Mailing List: Re: Issue 189: Handling of the identity response

[John Vollbrecht (jrv]

see suggestions below - mostly edits and nits

--On Thursday, October 30, 2003 10:11 AM -0800 Joseph Salowey 
<jsalowey [at] cisco.com> wrote:

> Handling of the identity response
>
> Submitter name: Joe Salowey
> Submitter email address: jsalowey [at] cisco.com
> Date first submitted: 10/30/3003
> Reference:
> http://mail.frascone.com/pipermail/public/eap/2003-October/001787.html,
> http://mail.frascone.com/pipermail/public/eap/2003-October/001788.html
> Document: RFC2284bis
> Comment type: 'E'ditorial
> Priority: '1' Should fix
> Section: Section 5.1 and Section 2.2
> Rationale/Explanation of issue:
>
> The data in the EAP-Identity Response method is typically provided to a
> method for processing.  There are several reasons why a method may not
> be able to process this identity.  First the identity may not be the
> appropriate identity for the method chosen by the server.  Second the
> identity may have been decorated to ensure that it is routed correctly
> to the appropriate EAP-Server.
>
> The recommendation is to suggest that the EAP-Identity response be used
> primarily for routing and method selection.  EAP-Methods should provided
> a separate mechanism for obtaining identity and not rely upon the
> identity response.  Many proposed methods already have a way to do this.
>
> Requested change:
>
> Modify the following text in section 2.2:
>
> "Since some EAP authentication methods may wish to access the Identity,
> implementations SHOULD make the Identity Request and Response accessible
> to authentication methods (Types 4 or greater) in addition to the
> Identity method.  However, it is recommended that future EAP Methods not

> Identity Type is discussed in Section 5.1."

> rely upon the identity received in the identity response and have a
> alternate way of obtaining identity.  There are several reasons why a
> method may not be able to process this identity; the identity may
> the identity may have been decorated to ensure that it is routed correctly
> to the appropriate EAP-Server, or the identity may have been truncated
> or obfuscated for privacy reasons. . It is recommended that the identity 
> > be used primarily for routing the request to an appropriate EAP server;
> and that the identity response be ignored by the EAP Method.
> Identity Type is discussed in Section 5.1."

how about

When an EAP Identity Method is used, Data in the EAP-Identity Response is 
typically provided to subsequent EAP Methods.  The subsequent Method MAY 
use this in its processing its algorithm.  Note that the information in the 
Identity Response is primarily used for routiing following EAP requests and 
for selecting a method to process the request.  A method SHOULD NOT use 
information in the Identity response as the actual Identity to be 
authenticated.

The reason is that the Data in the Identity Response may not be
the appropriate identity for the method chosen by the server: the identity 
may have been decorated to ensure that it is routed correctly by a NAS or 
Proxy AAAA Server to the appropriate EAP-Server, or the identity may have 
been truncated or obfuscated for privacy reasons. It is recommended that 
the Identity Response Data be used primarily for routing the request to an 
appropriate EAP server and/or selecting an EAP method, and that the 
Identity Response Data be ignored by subsequent the EAP Method. Identity 
Type is discussed in Section 5.1.


> I 'm not sure we need to add anything to section 5.1 (although I think
> the implementation note needs to be fixed).  There may be security
> considerations: in order to prevent mechanisms from revealing too much
> information about valid users method implementations may always ignore
> the identity response and use the mechanism specific identity query.
>
> _______________________________________________
> eap mailing list
> eap [at] frascone.com
> http://mail.frascone.com/mailman/listinfo/eap