On Jul 23, 2025, at 11:50 AM, Alexander Clouter <[email protected]> wrote: > Section 10.4 - Recommendations for usage in federated use cases (OpenRoaming) > > A requirement of these sites (including eduroam) is to provide the visited > site some machinery to deal with abuse by the visiting users. This machinery > can (and does) including bubbling up to Meat Space(tm) and phone calls but > there seems to be alignment around Chargeable-User-Identity.
The device will generally be using the same Calling-Station-Id for multiple sessions to the same SSID. That puts a strong limit on how much privacy is available. But to your point, yes, the home server should send a Chargeable-User-Identity. > I understand the entire purpose of the draft is to prevent associating one > user session from another, but as this draft stands, a bad actor could > deliver service impacting effect and the site operator would be powerless to > prevent them re-connecting; other than to block *all* visiting users from > that IdP realm. CUI doesn't help here. It's often unique per session. So the visited network can't track it across multiple sessions. > Whatever the outcome, operators need to understand either how they can deal > with abuse (Calling-Station-Id is not a good answer) or know that they cannot. This is a separate problem, I think. Other EAP types have the same issue. But it's a problem which should be addressed. Alan DeKok. _______________________________________________ Emu mailing list -- [email protected] To unsubscribe send an email to [email protected]
