RE: Continued discussion of RADIUS Crypto-Agility

["David B. Nelson" <d.b.nelson@comcast.net>]

Leif Johansson writes...

> Another thing that bothers me is the direct reference to AES.
> 
> Introducing a dependency on any one algorithm does not
> constitute agility in any sense of the word. The point (imho) is
> not to demonstrate how much we trust AES today but to make
> sure radius doesn't have to go through this again when AES
> needs replacing.

The keywrap draft was originally created for the purpose of obtaining
FIPS-140 certification of an 802.11 WLAN solution.  It pre-dates the RADEXT
crypto-agility effort.

The fact that it contains cipher-suite identifiers means that it can be
considered in the more general sense for crypto-agility.  As I said in my
last post in this thread, we really need to consider the encrypted
attributes draft together with the keywrap draft to meet the RADEXT
crypto-agility requirements.




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>