Since an NAI reveals the home affiliation of a user, it may assist an
attacker in further probing the username space. Typically, this
problem is of most concern in protocols that transmit the username in
clear-text across the Internet, such as in RADIUS, described in
[RFC2865] and [RFC2866]. In order to prevent snooping of the
username, protocols may use confidentiality services provided by
protocols transporting them, such as RADIUS protected by IPsec
[RFC3579] or Diameter protected by TLS [RFC3588].
This specification adds the possibility of hiding the username part
in the NAI, by omitting it. As discussed in Section 2.3, this is
possible only when NAIs are used together with a separate
authentication method that can transfer the username in a secure
manner. In some cases, application-specific privacy mechanism have
also been used with NAIs. For instance, some Extensible
Authentication Protocol (EAP) methods apply method-specific
pseudonyms in the username part of the NAI [RFC3748]. While neither
of these approaches can protect the realm part, their advantage over
transport protection is that privacy of the username is protected,
even through intermediate nodes such as NASes.
