In Issue 303, Pasi Eronen brought up the following concern:
Authentication/long-term credentials:
Authenticating the RADIUS client and server will require (manual)
configuration of some kinds of credentials (currently, the RADIUS
shared secret). The document should say something about what kinds of
long-term authentication credentials (for RADIUS entities) the
crypto-agility solutions are expected to support.
Presumably, they MUST support pair-wise shared secrets. Other
possibilities for long-term credentials could include e.g. X.509
certificates with PKI, public keys without certification
infrastructure (generate keypair + configure fingerprint of peer's
key), or Kerberos. Even if the conclusion is that nothing else than
pairwise shared secrets is needed, that should be said in the document
(with rationale explaining why).
|