RE: RADEXT WG re-charter

["Glen Zorn" <glenzorn@comcast.net>]

owner-radiusext@ops.ietf.org <> scribbled on Monday, April 14, 2008 9:48
PM:

> Glen Zorn writes...
> 
>> There was indeed discussion, but mostly in the form of various
>> assertions by the radext Chairs that this would be a good idea;
> 
> That much is largely true.
> 
>> ... I don't recall anything like consensus around this topic.
> 
> Unless I much mistake the poll questions and results that
> Charles facilitated during the HOKEY meeting, there was
> consensus in the room.  

I really appreciate your judgment of consensus in the hokey WG.  Please
drop by more often.

> Of course, that is subject to
> consensus on the list.  I'm also aware that you think this it not a
> good idea. 

See below.

> 
>> I guess, then, that "gaining FIPS certification" is an unsatisfactory
>> answer, since that was the one I (among others) gave.  So what would
>> be a satisfactory answer?
> 
> Well, "gaining FIPS certification" for a product release is
> likely a very fine thing indeed.  I guess the question is
> whether the only way to do that is to use the AES key-wrap as
> described in draft-zorn-radius-keywrap-13.txt, or whether
> another NIST-approved algorithm, designed for bulk data
> encryption might also be used?  
> In the latter case we solve
> the more general problem, without requiring separate attribute
> formats for keys and general purpose data.

'Frankly, my dear, I don't give a damn.'  I do find it quite fascinating
to observe this whole thing happening in (very) slow motion.  It's been
nearly 4 years (!) since draft-zorn-radius-keywrap-00.txt was posted &
in that period of time every trick in the book (& I'm sure some that
were new additions) has been used to ignore, delay or kill it;
furthermore, for at least 3 years there have been at 2 (or more)
independent, interoperable implementations that were FIPS-certified.
But wait!  Let's spend a little (lot) more time conjecturing about
another way, a way to solve "the general problem" (AKA "boiling the
ocean" if it's a proposal we don't care for).  Well, gosh, no thanks,
but you guys go ahead & have fun!

> 
> 
> 
> --
> to unsubscribe send a message to
> radiusext-request@ops.ietf.org with the word 'unsubscribe' in
> a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>