RE: open issues of draft-ietf-radext-digest-auth-00

["Nelson, David" <dnelson@enterasys.com>]

Wolfgang Beck writes...

> Issue 7
> 
> My interpretation of the list discussion was that the consensus was to
> make
> the Message-Authenticator mandatory. I'll copy the relevant parts
> of section 3.1 and 3.2 of RfC3579, as Bernard proposed.
> 
> I don't think that integrity protection of Access-Requests is really
> a big issue. Carrying HTTP Digest over unprotected RADIUS can't be
> worse than carrying it over unprotected HTTP or SIP. Digest-HA1 is the
> only
> exception, because a MITM can 'sign' arbitrary HTTP-style responses.
> Here is a proposal:
> - Message-Authenticator is optional
> - Digest-HA1 MUST be encrypted like User-Password, using a shared key.
> That means, Digest-HA1 can be used with MD5, AKAv1-MD5; reliance
> on IPSec is no longer needed (the requirement remains with sips /
> https where all attributes would have to be encrypted).

It may be confusion on my part, but it seems to me that the two
paragraphs above say different and conflicting things.  The first
paragraph says "Make inclusion of the Message-Authenticator attribute
mandatory within the scope of the Digest-Auth draft".  The second
paragraph says "Make the inclusion of Message-Authenticator optional
within the scope of the Digest-Auth draft, and specify an encrypted form
of the Digest-HA1 attribute".

Which is the resolution that will appear in the next revision of the
Digest-Auth draft?  If the WG has reached consensus on the first
paragraph, isn't that what must be chosen?



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>