[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Continued discussion of RADIUS Crypto-Agility

To: Dan Harkins <dharkins@lounge.org>
Subject: Re: Continued discussion of RADIUS Crypto-Agility
From: Alan DeKok <aland@deployingradius.com>
Date: Sun, 12 Aug 2007 09:32:11 -0400
Cc: Leif Johansson <leifj@it.su.se>, "David B. Nelson" <d.b.nelson@comcast.net>, radiusext@ops.ietf.org
In-reply-to: <47211.69.12.173.8.1186792642.squirrel@www.trepanning.net>
References: <BAY117-F28B64B0EA1942F20FDAAA293E90@phx.gbl> <200708091559.51253.stefan.winter@restena.lu> <4C0FAAC489C8B74F96BEAD85EAEB262504C8A9BB@xmb-sjc-215.amer.cisco.com> <200708100800.29887.stefan.winter@restena.lu> <004901c7db49$20379e80$6401a8c0@NEWTON603> <46BC6324.10209@it.su.se> <47211.69.12.173.8.1186792642.squirrel@www.trepanning.net>
User-agent: Thunderbird 1.5.0.12 (X11/20070604)

Dan Harkins wrote:
>   Each RADIUS client MUST go through the step of obtaining the certificate
> of the certification authority and affirmatively trusting it before it is
> used to authenticate the TLS exchange.

  In the BOF that started RADEXT, I presented a "client kickstart"
draft, co-authored with Robert Moskowitz.  It's functionally equivalent
to (D)TLS + DNS lookups to find the server, along with fingerprint
validation.

>   There is a dangerous attraction to (D)TLS because people can do server-
> side authentication only and base that on a self-signed certificate--
> they typically say something along the lines of "just click <ok> when
> asked if you want to proceed!". They think that since they're using TLS
> then everything is secure when, in fact, their deployment is patently
> insecure.

  <g>  "Just use IPSec!"

  The issue that (D)TLS solves is one of mind-share.  Administrators are
familiar with TLS, and with the tools to deploy a TLS-based infrastructure.

> This sort of provisioning is something that people who manage
> RADIUS servers have done before since it's how the current RADIUS secret
> is provisioned. Asking administrators to install a certificate in a
> trusted store on every RADIUS client, in addition to asking them to install
> a username and password, might be alot to ask. Would demanding that they
> deploy a PKI and assign a certificate and private key to every RADIUS
> client be too much to ask?

  For new deployments, it's possible.  Existing ones are often beyond hope.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: Continued discussion of RADIUS Crypto-Agility
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>
- Re: Continued discussion of RADIUS Crypto-Agility
  - From: Stefan Winter <stefan.winter@restena.lu>
- RE: Continued discussion of RADIUS Crypto-Agility
  - From: "Glen Zorn $gwz$" <gwz@cisco.com>
- Re: Continued discussion of RADIUS Crypto-Agility
  - From: Stefan Winter <stefan.winter@restena.lu>
- RE: Continued discussion of RADIUS Crypto-Agility
  - From: "David B. Nelson" <d.b.nelson@comcast.net>
- Re: Continued discussion of RADIUS Crypto-Agility
  - From: Leif Johansson <leifj@it.su.se>
- Re: Continued discussion of RADIUS Crypto-Agility
  - From: "Dan Harkins" <dharkins@lounge.org>

Prev by Date: Re: Continued discussion of RADIUS Crypto-Agility
Next by Date: REMINDER: RADEXT WG review of draft-nelson-radius-management-authorization
Previous by thread: Re: Continued discussion of RADIUS Crypto-Agility
Next by thread: Re: Continued discussion of RADIUS Crypto-Agility
Index(es):
- Date
- Thread