[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: E2E and crypto-agility
Glen Zorn wrote:
> The only purpose of which I'm aware for e2e encryption in RADIUS is the
> hiding of the encrypted things from proxies.
I trust the people I work with enough to leave my car keys out in
public. But I don't hand them the keys and say "go ahead, take it."
For me, e2e encryption in RADIUS is about *increasing* the security,
not *perfecting* it. The proxies have no business knowing the keys, so
e2e encryption helps increase security.
If the proxies collude with the local network, then they can gain
information that negates e2e encryption... because they effectively
become one of the "ends" in "end-to-end".
[gwz]
No collusion is required, just a hack combined with sniffing the wireless:
barely more effort than w/o this stuff...
[/gwz]
I see no problem here. e2e encryption is useful, and there are
multiple methods where this can be done to *improve* security without
making it perfect.
[gwz]
If that is your goal, I'd suggest trying to find a method that doesn't
involve modifying every L2 in the world...
[/gwz]
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>