**Session Date/Time:** 09 Nov 2023 12:00 # madinas ## Summary The Madinas working group session at IETF 119 covered several topics, including the status of the MAC address randomization draft, use cases and identity requirements document, a liaison statement from the WBA regarding open roaming, results from a hackathon focused on privacy aspects of open roaming, and a discussion about mobile subscription information for DHCP. The primary focus was on the hackathon results related to open roaming and the subsequent discussion on how to address potential privacy concerns, specifically regarding the chargeable user identity (CUI) attribute in RADIUS. The WG also discussed next steps for the working group. ## Key Discussion Points * **MAC Address Randomization Draft:** The draft is ready for IETF last call after addressing comments from the working group last call. Bob Hinden pointed out an inaccuracy in Section 6 regarding IPv6 usage of MAC addresses. * **Use Cases and Identity Requirements Document:** The document is nearing completion. The WG discussed requirements pertaining to RCM. Carlos Bernardo suggested rewording requirement number 3 for clarity. * **WBA Liaison Statement:** The WBA acknowledged feedback from IETF 117 and experiments regarding privacy leakage in open roaming, specifically concerning the CUI attribute. The WBA Roaming Working Group will review requirements and best practices and provide recommendations in Q1 2024. * **Hackathon Results (Open Roaming):** The hackathon project analyzed authentication exchanges between various access network implementations and IDPs. * Observed use of pseudonyms for preliminary IDs and anonymous realms for other EAP methods. * Observed username rewrites in access-accept messages. * Identified different uses of class attributes by different providers. * Observed a range of approaches for encoding CUI, with some potentially leaking identity information. * Confirmed that attributes in access-accept can be used to leak information. * **Privacy Concerns & CUI:** Discussed the potential privacy leakage related to CUI and other attributes in RADIUS exchanges within the context of open roaming. * **Action Items & Next Steps:** * Determine the best venue for documenting and addressing the findings related to privacy leakage in open roaming. Radext was suggested as a possible home for the best practices document based on the hackathon findings. * Discuss potential follow-up with Radext, the WBA, and offline testing. * Explore the possibility of surveying WBA credential holders to understand how they create particular attribute values. * **Mobile Subscription Info for DHCP:** A presentation on a draft proposal to provide service continuity between cellular and WiFi was received, with some discussion on use cases. ## Decisions and Action Items * **MAC Address Randomization Draft:** Revise Section 6 to correct the description of IPv6's handling of MAC addresses. * **Use Cases and Identity Requirements Document:** Reword requirement number 3 based on Carlos Bernardo's suggestion. * **Open Roaming & Privacy:** * Document the hackathon findings and related discussions. * Further discussions to take place on the mailing list. * Consider documenting best practices or recommendations in Radext. * Evaluate potential outreach to WBA to discuss best practices around privacy. * WG will discuss whether to create a BCP, re-charter, or conclude. ## Next Steps * Carlos to propose a change to wording for requirement 3 in the Use Cases document. * Discussions on the mailing list to explore the best venue for documenting and addressing the privacy concerns related to Open Roaming and to determine the group's next steps: BCP, Recharter, or conclude. * Mark to coordinate potentially with the WBA in a more controlled environment, regarding Open Roaming configurations and privacy implications.