During the Virtual Interim, we discussed the potential drawbacks of requiring that NASes support certificate-based authentication.
Given this, what types of credentials need to be supported in a crypto-agility solution? Should it be necessary for a solution to support a shared secret or pre-shared key?
From: bernard_aboba@hotmail.com
To: radiusext@ops.ietf.org
Subject: Crypto-agility requirements: Credentials issue
Date: Sun, 28 Jun 2009 13:59:01 -0700
In Issue 303, Pasi Eronen brought up the following concern:
Authentication/long-term credentials:
Authenticating the RADIUS client and server will require (manual)
configuration of some kinds of credentials (currently, the RADIUS
shared secret). The document should say something about what kinds of
long-term authentication credentials (for RADIUS entities) the
crypto-agility solutions are expected to support.
Presumably, they MUST support pair-wise shared secrets. Other
possibilities for long-term credentials could include e.g. X.509
certificates with PKI, public keys without certification
infrastructure (generate keypair + configure fingerprint of peer's
key), or Kerberos. Even if the conclusion is that nothing else than
pairwise shared secrets is needed, that should be said in the document
(with rationale explaining why).
|