Hello, On Mon, 7 Jul 2025, at 13:26, [email protected] wrote: > Internet-Draft draft-ietf-emu-eap-ppt-00.txt is now available. It is a work > item of the EAP Method Update (EMU) WG of the IETF. > > Title: Extensible Authentication Protocol (EAP) Using Privacy Pass Token > Authors: Paresh Sawant > Bart Brinckman > Name: draft-ietf-emu-eap-ppt-00.txt > Pages: 33 > Dates: 2025-07-07 > > Abstract: > > This document describes Extensible Authentication Protocol using > Privacy Pass token (EAP-PPT) Version 1. The protocol specifies use > of the Privacy Pass token for client authentication within EAP as > defined in RFC3748. Privacy Pass is a privacy preserving > authentication mechanism used for authorization, as defined in > RFC9576.
Section 10.4 - Recommendations for usage in federated use cases (OpenRoaming) A requirement of these sites (including eduroam) is to provide the visited site some machinery to deal with abuse by the visiting users. This machinery can (and does) including bubbling up to Meat Space(tm) and phone calls but there seems to be alignment around Chargeable-User-Identity. The need here is not that the site necessarily wants to know who the visiting user is just that they have been deemed "naughty" and the visited site wants *all*, or maybe just one device in case of infection, of their devices blocked by an ID that is stable for N hours/days/weeks. I understand the entire purpose of the draft is to prevent associating one user session from another, but as this draft stands, a bad actor could deliver service impacting effect and the site operator would be powerless to prevent them re-connecting; other than to block *all* visiting users from that IdP realm. This has been brought up before, I know I did (back in Dublin) and others have: https://datatracker.ietf.org/meeting/121/materials/minutes-121-emu-202411051800-00 https://mailarchive.ietf.org/arch/msg/emu/GLdf0jp6s3HwhwU776MPpqh94x0/ One option would be to state "sorry, operators will need to eat abusive users". This likely would hurt adoption so putting energy into resolving this definitely is valuble. Whatever the outcome, operators need to understand either how they can deal with abuse (Calling-Station-Id is not a good answer) or know that they cannot. Cheers Alex _______________________________________________ Emu mailing list -- [email protected] To unsubscribe send an email to [email protected]
