 |
 |
> This is true for FreeRADIUS and appears to be true by convention? For FR 3.0.x this is all defined in the /etc/raddb/policy.d/cui file, and it's been there since 2009 (surprisingly!). The only difference between the two versions is that in v3.x, SHA-1 is used as hashing mechanism by default, and that it also includes a regularisation to ensure that both User-Name and Operator-Name are treated case-insensitively. > policy? for Eduroam. I was incorrect in stating that eduroam policy forbids changing the CUI from the value the home IdP set. It is in fact in the RFC. The first paragraph of Section 2.1, Chargeable-User-Identity attribute, explicitly forbids any changes outside the home organisation, although, as you pointed out, there is no technical way to prevent that. Additionally, Section 6 (Security Considerations) points out the technical deficiency, but again reiterates the requirement that the CUI may not change in transit. In 2009, Maja Górecka-Wolniewicz from the Polish NREN presented something at the TERENA Networking Conference in Malaga where the CUI was suggested as an identifier and a way to manage users. Link here: http://geant3.archive.geant.net/Media_Centre/Media_Library/Media%20Library/identity%20management%20of%20users%20in%20eduroam.pdf The current eduroam policy (I again speak under correction) is this one, dated 2012: https://www.eduroam.org/downloads/docs/GN3-12-192_eduroam-policy-service-definition_ver28_26072012.pdf It discusses CUI several times as a *recommended* item, but it only refers to the CUI lifetime in the logs, which are to be kept for six months. > However as pointed out, this directly goes against the RFC which states that the lifetime of the assertion should not be too long. Indeed. So I'm guessing that this would be the sticky point. :-/ Stefan Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238