Once again, channeling Sam Hartman's response to the RADEXT list.
David> Well, besides that, some folks at Cisco expressed a desire
David> to replace the crypto elements of RADIUS (e.g. key wrap,
David> MAC, etc.) with algorithms and modes that would allow
David> systems including RADIUS to receive FIPS certification, for
David> solutions in government and financial services markets.
David> Additionally, the folks behind the EduRoam consortium in
David> Europe have deployed RADIUS over TLS for inter-university
David> roaming authentication.
I think automated key management is important for both of these use
cases.
Based on this response from Sam, it seems to me that we need to ask the authors of the various RADIUS Crypto-Agility proposals (Key Wrap, RADIUS over DTLS, RADIUS over TLS) to submit a write-up of how their proposal provides for automated key management, per RFC 4107, or why they think RFC 4107 requirements do not apply. In the latter case, the authors and the WG would need to be prepared to address any DISCUSS that might come from Sam during IESG review.
Another use case that I've recently become aware of is RADIUS Key Wrap for use in the HOKEY WG. We should address that, as well.
--- Begin Message ---
- To: "David B. Nelson" <dnelson@elbrysnetworks.com>
- Subject: Re: Reminder: automated key management is often required for new protocols
- From: Sam Hartman <hartmans-ietf@mit.edu>
- Date: Wed, 14 Nov 2007 14:43:03 -0500
- Cc: radiusext@ops.ietf.org
- Delivered-to: dnelson@elbrysnetworks.com
- In-reply-to: <473B2372.90007@elbrysnetworks.com> (David B. Nelson's message of "Wed, 14 Nov 2007 11:33:54 -0500")
- References: <BAY117-F33204AA79CFE4EDD62D5A093D40@phx.gbl> <015901c8263b$38ff71d0$091716ac@xpsuperdvd2> <tslk5okhoje.fsf@mit.edu> <473B2372.90007@elbrysnetworks.com>
- User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
>>>>> "David" == David B Nelson <dnelson@elbrysnetworks.com> writes: David> Well, besides that, some folks at Cisco expressed a desire David> to replace the crypto elements of RADIUS (e.g. key wrap, David> MAC, etc.) with algorithms and modes that would allow David> systems including RADIUS to receive FIPS certification, for David> solutions in government and financial services markets. David> Additionally, the folks behind the EduRoam consortium in David> Europe have deployed RADIUS over TLS for inter-university David> roaming authentication. I think automated key management is important for both of these use cases.
--- End Message ---