Re: Continued discussion of RADIUS Crypto-Agility

[Leif Johansson <leifj@it.su.se>]

Glen Zorn (gwz) wrote:
> Stefan Winter <> allegedly scribbled on Wednesday, August 08, 2007 5:06
> AM:
>
>   
>> Hello,
>>
>>     
>>> We can certainly entertain a discussion of whether RADSEC is
>>> appropriate as a RADEXT WG work item.  However, I am not entirely
>>> clear that this question is relevant to the current crypto-agility
>>> discussion (although I'm certainly willing to be convinced
>>> otherwise). 
>>>       
>> I agree that it is not relevant for crypto-agility discussions. As I
>> see it, DTLS and RadSec fall under a common category in this respect:
>> whole packet encryption, with encryption negotiation happening
>> outside of RADIUS.   
>>     
>
> Well, except that in order to place these things in a common category it
> is necessary to ignore one of the defining characteristics of RADIUS:
> that it is only and intentionally defined as a connectionless protocol.
>
>   
A situation not unlike SIP btw which also started as a UDP-based
protocol but which had to evolve in the face of among other
things the requirement to protect the transport in the absence
of deployable s/mime.

Sure SIP could have rolled an in-band security layer but that
would not have helped an already complex protocol. In-band
authentication combined with channel-bindings to a lower
security layer is imo a much simpler and cleaner solution for
most protocols.

    Cheers Leif


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>