[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: E2E and crypto-agility
Is there a *real-world* problem we're trying
to solve here, or a theoretical exercise that is made moot by real-world
business realities?
I think there may be a problem here, but I'm not clear how that problem
is related to "RADIUS crypto-agility" or why it is in the interest of the
RADEXT WG to try to solve it at the present moment.
For example, using crypto-agility, ciphersuites can be negotiated to
provide improved integrity protection as well as confidentiality for
a portion or all of the RADIUS packet.
This would seem to be an orthogonal question to the topology of
RADIUS clients, proxies and servers.
Or am I missing something?
Yes, automated key management, if implemented, might make it
possible for untrusted proxies to be bypassed (e.g. the local
proxy might be able to bypass a less trust worthy proxy and
talk to an entity closer to the home server, assuming that the
two entities share trust anchors).
And yes, it is possible that somewhere, somehow, someone
might want to implement Kerb/RADIUS or CMS (which were
discussed in AAA WG years ago but which languished for lack of interest).
However, to me this doesn't seem like a requirement
in the development of the two proposals that we've been
discussing.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>