[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: draft-gaonkar-radext-erp-attrs-03
> > There is a desire to use NIST-approved key-wrap
> > algorithms for wrapping keys, and those algorithms are inappropriate for
> > general-purpose data encryption.
>
> I'm not sure why this is a problem. The encrypted attribute
> container can include an algorithm field, so that it would be possible to
> encrypt one bag of attributes (not keys) with one algorithm, while using
> a keywrap algorithm for another bag (which represent keys).
In our hallway discussion of this afternoon, Joe Salowey indicated that his
preference is to make it harder for an implementer to make the mistake of
using the incorrect class of cipher-suite, e.g. to protect general data with
a key-wrap (too weak) or protect a key with a non-NIST-approved algorithm.
Otherwise, we could do as you suggest. I had made the same point during our
discussion.
> * Are general encryption algorithms suitable for use in encrypting keys?
There are really two questions -- (a) "is the algorithm and mode suitably
strong?" and (b) "is it NIST-approved?" The former is easier to satisfy.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>