A proposal for resolving this part of Pasi's Issue 303 would be to add a Forward Secrecy requirement, so that compromise of the long-term credential would not necessarily result in compromise of previously transmitted keys.
From: bernard_aboba@hotmail.com
To: radiusext@ops.ietf.org
Subject: Crypto-agility requirements: Forward Secrecy concern (from Issue 303)
Date: Sun, 28 Jun 2009 14:00:50 -0700
Forward secrecy:
Sometimes RADIUS is used to deliver keys (like EAP MSK) that will be
used (perhaps indirectly via additional key derivation steps) to
encrypt information that may be valuable for a long time. Given this,
the document needs some discussion about "forward secrecy" (whether
revealing the long-term credential allows decrypting all past
communications), and if the conclusion is that crypto-agility
solutions don't need to support forward secrecy (even as
optional-to-use feature), explain the rationale behind this
conclusion.
|