[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Continued discussion of RADIUS Crypto-Agility



Stefan Winter wrote:
> Hello,
>
>   
>> We can certainly entertain a discussion of whether RADSEC is appropriate as
>> a RADEXT WG work item.  However, I am not entirely clear that this question
>> is relevant to the current crypto-agility discussion (although I'm
>> certainly willing to be convinced otherwise).
>>     
>
> I agree that it is not relevant for crypto-agility discussions. As I see it, 
>   

I have to disagree. The purpose of the IESG crypto-agility "challenge"
is to get rid of hard dependencies on vulnerable mechanisms, notably
MD5 and to make sure that the current situation wrt to these mechs
don't arise again in the future.

There are two fundamental ways to address this problem: reference
some work or roll your own. Radius+DTLS and RadSec fall into the
first category, keywrap falls into the second category.

There is no doubt that these 3 proposals aren't created equal and
sort differently depending on what problems _besides_ crypto and
hash agility you may want to solve at the same time but they clearly
all solve the basic problem of crypto and hash agility.

The wg should (imho) explicitly state if the issue is getting rid of MD5
or getting rid of MD5 at the same time as a whole bunch of other
things are done. That will probably make this process go a whole lot
easier.

    Cheers Leif

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>