[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: E2E and crypto-agility

To: "Alan DeKok" <aland@nitros9.org>, <radiusext@ops.ietf.org>
Subject: Re: E2E and crypto-agility
From: <Bernard_Aboba@hotmail.com>
Date: Wed, 26 Dec 2007 10:42:20 -0800
In-reply-to: <tslabo4d851.fsf@mit.edu> <BAY117-W1792E6240C29062FF9B6F2935F0@phx.gbl> <47729414.9070608@nitros9.org>
References: <tslabo4d851.fsf@mit.edu> <BAY117-W1792E6240C29062FF9B6F2935F0@phx.gbl> <47729414.9070608@nitros9.org>

 What is "end to end" ?


I think it means something like "protection of RADIUS attributes from

disclosure to parties other than the NAS and home server".

 I don't see how we could do NAS to home server key transport in
RADIUS. So the answer is (I think) "No".


In the AAA WG there were a number of mechanisms investigated by
which a NAS and home server could derive a key that could be
used to protect attributes from disclosure to proxies.  These methods
included Kerberos and CMS.  For example, see:
http://www.watersprings.org/pub/id/draft-kaushik-radius-sec-ext-06.txt

So I think the question is not "can it be done?" but rather"how does this relate to RADIUS crypto-agility?" and

"should solving this problem be a requirement?"









--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: E2E and crypto-agility
  - From: Alan DeKok <aland@nitros9.org>

References:
- RE: [ Comments on automated key management and crypto agility
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: [ Comments on automated key management and crypto agility
  - From: Alan DeKok <aland@nitros9.org>

Prev by Date: RE: Questions on modified Extended Attribute format?
Next by Date: Re: Comments on "practical deployments"
Previous by thread: RE: [ Comments on automated key management and crypto agility
Next by thread: Re: E2E and crypto-agility
Index(es):
- Date
- Thread