>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
Stefan> Hi Jon,
>> It's important that the unique string doesn't change unexpectedly over time,
>> since that would require the mapping to be updated before the user (or group)
>> could successfully authenticate. I understand (from a distance) that
>> this is part
>> of the objection to CUI.
Stefan> When correctly implemented, CUI should not change unless one of the
Stefan> four constituent parts, the salt, the Operator-Name, the User-Name, or
Stefan> the hashing mechanism, changes. This is virtually identical to the
Stefan> ePTID in Shibboleth.
This is true for FreeRADIUS and appears to be true by convention?
policy? for Eduroam.
However as pointed out, this directly goes against the RFC which states
that the lifetime of the assertion should not be too long.
I do agree that is implemented by FreeRADIUS CUI is roughly the same as
ePTID.
--Sam
|