[Sterman Issue 7] Message Authenticator: Options

[Avi Lior <avi@bridgewatersystems.com>]

Hi folks,
We would like to get closure on the issue of the use of Message
Authenticator for draft-sterman-aaa-sip-04.

Everyone seems to agree that we need to use some sort of RADIUS Message
Authenticator.

There was a discussion on the strength of HMAC-MD5.  Some suggested that we
should stregthen the RADIUS Message-Authenticator to HMAC-SHA1.

-HMAC-MD5 is not busted (yet).
-draft-sterman-aaa-sip-04 carries HTTP digest which are based on MD5.
-draft-sterman-aaa-sip-04 seems to be addressing legacy deployements.
Recommending that greenfield implementation use Diameter.
-There is a push to get draft-sterman-aaa-sip-04 out quickly.
-keywrap proposes a new message authenticator Message-Authentication-Code
which supports either HMAC-MD5 or MHAC-SHA1 methods.

Options:
========
1) Allow draft-sterman-aaa-sip to use Message-Authenticator(80). And when
keywrap is ready we can state in keywrap that RADIUS implmentation should
upgrade to Message-Authentication-Code.

2) Require draft-sterman-aaa-sip to use Message-Authentication-Code.


Questions:
==========

-Will IESG accept a new RFC based on HMAC-MD5?
If not then we don't really have a choice.

-Will keywrap be ready in time?
This is important but the authors feel that it is ready to go.  However,
note that Keywrap allows Message-Authentication-Code to be HMAC-MD5 isn't
this a problem?

Your comments and opinion would be appreciated.

Avi

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>