[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Continued discussion of RADIUS Crypto-Agility

To: "Stefan Winter" <stefan.winter@restena.lu>, "Bernard Aboba" <bernard_aboba@hotmail.com>
Subject: RE: Continued discussion of RADIUS Crypto-Agility
From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
Date: Wed, 8 Aug 2007 09:42:32 -0700
Cc: <radiusext@ops.ietf.org>
In-reply-to: <200708081405.38669.stefan.winter@restena.lu>
References: <BAY117-F28B64B0EA1942F20FDAAA293E90@phx.gbl> <200708081405.38669.stefan.winter@restena.lu>

Stefan Winter <> allegedly scribbled on Wednesday, August 08, 2007 5:06
AM:

> Hello,
> 
>> We can certainly entertain a discussion of whether RADSEC is
>> appropriate as a RADEXT WG work item.  However, I am not entirely
>> clear that this question is relevant to the current crypto-agility
>> discussion (although I'm certainly willing to be convinced
>> otherwise). 
> 
> I agree that it is not relevant for crypto-agility discussions. As I
> see it, DTLS and RadSec fall under a common category in this respect:
> whole packet encryption, with encryption negotiation happening
> outside of RADIUS.   

Well, except that in order to place these things in a common category it
is necessary to ignore one of the defining characteristics of RADIUS:
that it is only and intentionally defined as a connectionless protocol.
This is not an accidental result of the transport choice as you seem to
imply below ("{some transport}+{the equivalent of TLS for that
transport}"), but a fundamental quality of RADIUS itself.  Much as you
might like to believe so, RadSec is _not_ RADIUS, & therefore far out of
scope of not just the crypto-agility discussions but of this WG.
RADIUSoDTLS, OTOH, doesn't alter the fundamental nature of RADIUS &
therefore _is_ in scope.

> Basically everything that falls under {some transport}+{the
> equivalent of TLS for that transport} would fall into this same class
> (i.e. also yet-exotic combinations like DCCP+DTLS or SCTP+TLS would
> be covered). keywrap represents a second, fundamentally different
> class: per-attribute encryption, with encryption negotiation
> happening inside the packet. I guess discussions re the general
> crypto-agility problem could focus on discussing those two classes of
> approach.      
> 
> Greetings,
> 
> Stefan Winter

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Continued discussion of RADIUS Crypto-Agility
  - From: Stefan Winter <stefan.winter@restena.lu>
- Re: Continued discussion of RADIUS Crypto-Agility
  - From: Leif Johansson <leifj@it.su.se>

References:
- RE: Continued discussion of RADIUS Crypto-Agility
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>
- Re: Continued discussion of RADIUS Crypto-Agility
  - From: Stefan Winter <stefan.winter@restena.lu>

Prev by Date: Re: Continued discussion of RADIUS Crypto-Agility
Next by Date: Re: Continued discussion of RADIUS Crypto-Agility
Previous by thread: Re: [Re: Continued discussion of RADIUS Crypto-Agility]
Next by thread: Re: Continued discussion of RADIUS Crypto-Agility
Index(es):
- Date
- Thread