[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: E2E and crypto-agility
Glen Zorn wrote:
> The only purpose of which I'm aware for e2e encryption in RADIUS is the
> hiding of the encrypted things from proxies.
I trust the people I work with enough to leave my car keys out in
public. But I don't hand them the keys and say "go ahead, take it."
For me, e2e encryption in RADIUS is about *increasing* the security,
not *perfecting* it. The proxies have no business knowing the keys, so
e2e encryption helps increase security.
If the proxies collude with the local network, then they can gain
information that negates e2e encryption... because they effectively
become one of the "ends" in "end-to-end".
I see no problem here. e2e encryption is useful, and there are
multiple methods where this can be done to *improve* security without
making it perfect.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>