On Feb 16, 2023, at 10:14 AM, Murray S. Kucherawy <[email protected]> wrote: > The outer identity SHOULD use an anonymous NAI realm, which allows for > both user privacy, and for the EAP session to be routed in an AAA > framework as described in [RFC7542] Section 3. Where NAI realms are > not used, packets will not be routable outside of the local > organization. > > Is there any legitimate reason for an implementer to decide to deviate from > the SHOULD and still expect to interoperate? The text you're suggesting > sounds a lot like a MUST to me.
It's not an implementation issue. Anyone can type anything into the "username" field of the Microsoft Windows popup. No EAP client enforces that the name must be a domain. Implementations are required to support any values in that name field. This is a business reality. This specification can only make recommendations. > I think this point should be made clear, i.e., that this is only a SHOULD > because of backward compatibility with previous documents. In fact, I > suggest using "MUST, unless ..." > > Private environments, I would imagine, are always free to interoperate or > not, so I'm not too worried about the (b) case. Implementations have to support both use-cases. If we make this a MUST, then implementors may see it as a requirement of the implementation, and forbid practices which are currently in wide-spread use. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
