[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Continued discussion of RADIUS Crypto-Agility



Stefan Winter <> allegedly scribbled on Wednesday, August 08, 2007 5:06
AM:

> Hello,
> 
>> We can certainly entertain a discussion of whether RADSEC is
>> appropriate as a RADEXT WG work item.  However, I am not entirely
>> clear that this question is relevant to the current crypto-agility
>> discussion (although I'm certainly willing to be convinced
>> otherwise). 
> 
> I agree that it is not relevant for crypto-agility discussions. As I
> see it, DTLS and RadSec fall under a common category in this respect:
> whole packet encryption, with encryption negotiation happening
> outside of RADIUS.   

Well, except that in order to place these things in a common category it
is necessary to ignore one of the defining characteristics of RADIUS:
that it is only and intentionally defined as a connectionless protocol.
This is not an accidental result of the transport choice as you seem to
imply below ("{some transport}+{the equivalent of TLS for that
transport}"), but a fundamental quality of RADIUS itself.  Much as you
might like to believe so, RadSec is _not_ RADIUS, & therefore far out of
scope of not just the crypto-agility discussions but of this WG.
RADIUSoDTLS, OTOH, doesn't alter the fundamental nature of RADIUS &
therefore _is_ in scope.

> Basically everything that falls under {some transport}+{the
> equivalent of TLS for that transport} would fall into this same class
> (i.e. also yet-exotic combinations like DCCP+DTLS or SCTP+TLS would
> be covered). keywrap represents a second, fundamentally different
> class: per-attribute encryption, with encryption negotiation
> happening inside the packet. I guess discussions re the general
> crypto-agility problem could focus on discussing those two classes of
> approach.      
> 
> Greetings,
> 
> Stefan Winter

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>