Re: Continued discussion of RADIUS Crypto-Agility

["Dan Harkins" <dharkins@lounge.org>]

On Thu, August 9, 2007 1:58 pm, Leif Johansson wrote:
> Dan Harkins wrote:
>>   Hello,
>>
>> On Wed, August 8, 2007 7:22 am, Leif Johansson wrote:
>> [snip]
>>
>>> There are two fundamental ways to address this problem: reference
>>> some work or roll your own. Radius+DTLS and RadSec fall into the
>>> first category, keywrap falls into the second category.
>>>
>>
>>   I have to disagree. Keywrap is not "roll your own". It uses RFC3394
>>
> That is absolutely "roll your own" - RFC3394 is AES which is
> crypto not a security protocol. Of course no-one in the IETF
> is silly enough not to reference existing crypto :-)

  No, and no. RFC3394 is a _use of_ AES. A specific use. It's to solve the
problem of transmitting keying material over an untrusted network. And
that is _exactly_ the problem the keywrap draft is solving.

  One thing the IETF does well (in addition to apparently referencing
existing crypto) is take work from outside the IETF and document it in
RFCs. TLS is a perfect example. So is RFC3394. Neither one is "roll your
own" and neither is a proposal to use one of them.

  Dan.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>