cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Tomasz Wolniewicz <twoln AT umk.pl>
- To: Stefan Winter <stefan.winter AT restena.lu>, cat-users AT lists.geant.org, "Cecchini, Paolo" <paolo.cecchini AT uniurb.it>
- Subject: Re: [[cat-users]] CAT installer broken on TTLS PAP
- Date: Wed, 24 Oct 2018 08:38:12 +0200
- Openpgp: preference=signencrypt
I have also removed the check form the Linux installer.
Tomasz
W dniu 23.10.2018 o 16:25, Stefan Winter pisze:
> Hi,
>
>> So indeed the installer has a problem. We did not think of a situation
>> where an IdP would be using inner identifiers like user@staff
>> We have been asked many times to add some identifier checks and we have
>> two new options on that - the admins now can test if the realm in user's
>> identifier matches the realm provided in the configuration or even
>> prefill the username field with "@realm". With no options set, we still
>> run some basic checks like multiple @ signs or a dot immediately after @
>> or no dot in the realm part. This last test causes the error in Paolo's
>> case. It looks like we have no choice but to drop this one test as it
>> may be doing more harm than good.
> Just for the sake of making an argument, I'd like to point out that
> something@staff is not a valid user identifier in the sense of the
> IETF's "Network Access Identifier (NAI)" RFC. Nor is something with two
> @@ signs in it or an @. .
>
> If this kind of identifier is used /without/ enabling outer identity
> with a correct NAI, it leads to actual breakage when roaming. I'm
> assuming that this IdP has thus turned on outer identities, making this
> internal use "okay".
>
> So, I think in general we have a point in testing for these conditions.
> But since reality shows us that these identifiers are in actual
> deployment, and our sense for standards-correctness is getting in the
> way of real deployments, I'm okay with removing the check.
>
> Greetings,
>
> Stefan
--
Tomasz Wolniewicz
twoln AT umk.pl http://www.home.umk.pl/~twoln
Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
Attachment:
smime.p7s
Description: Kryptograficzna sygnatura S/MIME
- Re: [[cat-users]] CAT installer broken on TTLS PAP, (continued)
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Tomasz Wolniewicz, 10/23/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Stefan Winter, 10/23/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Alberto Martínez, 10/23/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Alberto Martínez, 10/23/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Stefan Winter, 10/23/2018
- RE: [[cat-users]] CAT installer broken on TTLS PAP, David Andrus, 10/23/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Tomasz Wolniewicz, 10/23/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, David Andrus, 10/23/2018
- RE: [[cat-users]] CAT installer broken on TTLS PAP, David Andrus, 10/23/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Tomasz Wolniewicz, 10/23/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Stefan Winter, 10/23/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Alberto Martínez, 10/23/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Tomasz Wolniewicz, 10/24/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Zenon Mousmoulas, 10/24/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Tomasz Wolniewicz, 10/24/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Stefan Winter, 10/23/2018
- Re: [[cat-users]] CAT installer broken on TTLS PAP, Tomasz Wolniewicz, 10/23/2018
Archive powered by MHonArc 2.6.19.