[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: Re: Reminder: automated key management is often required for new protocols]

To: radiusext@ops.ietf.org
Subject: [Fwd: Re: Reminder: automated key management is often required for new protocols]
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
Date: Wed, 14 Nov 2007 15:23:11 -0500
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

Once again, channeling Sam Hartman's response to the RADEXT list.

    David> Well, besides that, some folks at Cisco expressed a desire
    David> to replace the crypto elements of RADIUS (e.g. key wrap,
    David> MAC, etc.) with algorithms and modes that would allow
    David> systems including RADIUS to receive FIPS certification, for
    David> solutions in government and financial services markets.

    David> Additionally, the folks behind the EduRoam consortium in
    David> Europe have deployed RADIUS over TLS for inter-university
    David> roaming authentication.

I think automated key management is important for both of these use
cases.

Based on this response from Sam, it seems to me that we need to ask theauthors of the various RADIUS Crypto-Agility proposals (Key Wrap, RADIUSover DTLS, RADIUS over TLS) to submit a write-up of how their proposalprovides for automated key management, per RFC 4107, or why they thinkRFC 4107 requirements do not apply. In the latter case, the authors andthe WG would need to be prepared to address any DISCUSS that might comefrom Sam during IESG review.

Another use case that I've recently become aware of is RADIUS Key Wrapfor use in the HOKEY WG. We should address that, as well.

--- Begin Message ---

To: "David B. Nelson" <dnelson@elbrysnetworks.com>

Subject: Re: Reminder: automated key management is often required for new protocols

From: Sam Hartman <hartmans-ietf@mit.edu>

Date: Wed, 14 Nov 2007 14:43:03 -0500

Cc: radiusext@ops.ietf.org

Delivered-to: dnelson@elbrysnetworks.com

In-reply-to: <473B2372.90007@elbrysnetworks.com> (David B. Nelson's message of "Wed, 14 Nov 2007 11:33:54 -0500")

References: <BAY117-F33204AA79CFE4EDD62D5A093D40@phx.gbl> <015901c8263b$38ff71d0$091716ac@xpsuperdvd2> <tslk5okhoje.fsf@mit.edu> <473B2372.90007@elbrysnetworks.com>

User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
>>>>> "David" == David B Nelson <dnelson@elbrysnetworks.com> writes:


    David> Well, besides that, some folks at Cisco expressed a desire
    David> to replace the crypto elements of RADIUS (e.g. key wrap,
    David> MAC, etc.) with algorithms and modes that would allow
    David> systems including RADIUS to receive FIPS certification, for
    David> solutions in government and financial services markets.

    David> Additionally, the folks behind the EduRoam consortium in
    David> Europe have deployed RADIUS over TLS for inter-university
    David> roaming authentication.

I think automated key management is important for both of these use
cases.
--- End Message ---

Follow-Ups:
- Re: [Fwd: Re: Reminder: automated key management is often required for new protocols]
  - From: Alan DeKok <aland@nitros9.org>

Prev by Date: Re: Reminder: automated key management is often required for new protocols
Next by Date: Re: [Fwd: Re: Reminder: automated key management is often required for new protocols]
Previous by thread: [Fwd: Re: Reminder: automated key management is often required for new protocols]
Next by thread: Re: [Fwd: Re: Reminder: automated key management is often required for new protocols]
Index(es):
- Date
- Thread