[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thoughts on Requirements for RADIUS crypto-agility

To: "Glen Zorn (gwz)" <gwz@cisco.com>
Subject: Re: Thoughts on Requirements for RADIUS crypto-agility
From: Alan DeKok <aland@nitros9.org>
Date: Fri, 23 Feb 2007 17:45:06 +0100
Cc: "David B. Nelson" <d.b.nelson@comcast.net>, radext mailing list <radiusext@ops.ietf.org>
In-reply-to: <4C0FAAC489C8B74F96BEAD85EAEB2625037E49EF@xmb-sjc-215.amer.cisco.com>
References: <001b01c756d8$64a83b60$6401a8c0@NEWTON603> <45DEC461.6020308@nitros9.org> <4C0FAAC489C8B74F96BEAD85EAEB2625037E49EF@xmb-sjc-215.amer.cisco.com>
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

Glen Zorn (gwz) wrote:
> Initially, I agreed with you on this, bur re-reading David's message I
> wonder if the replay protection stuff just applies to the crypto
> algorithm negotiation mechanism?

  Perhaps.  I think there's also a need for replay protection in RADIUS.
 The suggested use of Event-Timestamp in Section 5.4 of RFC 3576 is
better than nothing.  But it doesn't protect the server from replay
attacks within a large window, so it's usefulness is limited.

>  If not, the straw-man requirements
> would appear to be self-contradictory since requirement 11 states
> "Similarly, the addition of new capabilities to the RADIUS protocol is
> out of scope; a proposal should focus on the crypto-agility problem and
> nothing else." yet (IMHO) strong replay protection is certainly a new
> capability for RADIUS & it is a crypto application, rather than an
> agility thing.

  I am sure we will get clarification on the issues. :)

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Thoughts on Requirements for RADIUS crypto-agility
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>
- RE: Thoughts on Requirements for RADIUS crypto-agility
  - From: "David B. Nelson" <d.b.nelson@comcast.net>

References:
- Thoughts on Requirements for RADIUS crypto-agility
  - From: "David B. Nelson" <d.b.nelson@comcast.net>
- Re: Thoughts on Requirements for RADIUS crypto-agility
  - From: Alan DeKok <aland@nitros9.org>
- RE: Thoughts on Requirements for RADIUS crypto-agility
  - From: "Glen Zorn $gwz$" <gwz@cisco.com>

Prev by Date: RE: Thoughts on Requirements for RADIUS crypto-agility
Next by Date: RE: Thoughts on Requirements for RADIUS crypto-agility
Previous by thread: RE: Thoughts on Requirements for RADIUS crypto-agility
Next by thread: RE: Thoughts on Requirements for RADIUS crypto-agility
Index(es):
- Date
- Thread