Re: [Fwd: Re: Reminder: automated key management is often required for new protocols]

[Alan DeKok <aland@nitros9.org>]

David B. Nelson wrote:
>> I think automated key management is important for both of these use
>> cases.
> 
> Based on this response from Sam, it seems to me that we need to ask the
> authors of the various RADIUS Crypto-Agility proposals (Key Wrap, RADIUS
> over DTLS, RADIUS over TLS) to submit a write-up of how their proposal
> provides for automated key management, per RFC 4107, or why they think
> RFC 4107 requirements do not apply.  In the latter case, the authors and
> the WG would need to be prepared to address any DISCUSS that might come
> from Sam during IESG review.

 From RFC 4107:

   Examples of automated key management systems include IPsec IKE and
   Kerberos.  S/MIME and TLS also include automated key management
   functions.

  Yes: DTLS uses TLS, which passes the RFC 4107 requirements for
automated key management.  Long-term keys (e.g. certificates) can be
distributed manually to each RADIUS device, which is permitted by RFC 4107.

  From Section 2.1, DTLS uses stream ciphers, which means that automated
key management must be used.

  From Section 2.2, RADIUS over DTLS meets none of the criteria for
permitting manual key management.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>