[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RADEXT WG re-charter

To: <radiusext@ops.ietf.org>
Subject: RE: RADEXT WG re-charter
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
Date: Thu, 17 Apr 2008 18:02:34 -0400
In-reply-to: <BLU137-DS189C853D41C60ABA8537E93E50@phx.gbl>
Organization: Elbrys Networks, Inc.
References: <BLU137-W48C2DDC500B37865CBBD9F93F50@phx.gbl> <AC1CFD94F59A264488DC2BEC3E890DE50598D1E3@xmb-sjc-225.amer.cisco.com> <BLU137-DS39DAA210AA10B0CDB138F93EC0@phx.gbl> <AC1CFD94F59A264488DC2BEC3E890DE505A01761@xmb-sjc-225.amer.cisco.com> <010001c89c27$8a6ff5f0$1f0a0a0a@xpsuperdvd2> <001801c89e36$38856cf0$33da787c@arubanetworks.com> <019e01c89e3e$87835030$1f0a0a0a@xpsuperdvd2> <001d01c89e4f$53bed740$33da787c@arubanetworks.com> <01b201c89e55$0cab70b0$1f0a0a0a@xpsuperdvd2> <AC1CFD94F59A264488DC2BEC3E890DE505A020F0@xmb-sjc-225.amer.cisco.com> <00a201c89fc0$aadb86f0$6401a8c0@NEWTON603> <BLU137-DS189C853D41C60ABA8537E93E50@phx.gbl>

Bernard Aboba writes...

> At IETF 71, the technical discussion brought up the following points:
> 
> a.  The integrity protection for keywrap is considerably *weaker* 
> (e.g. 64 bits) than for standard MIC algorithms.
> b.  Encryption algorithms for keywrap cannot be securely used to do
> bulk encryption of data, but algorithms that can do bulk encryption
> can securely be used to encrypt keys.

Are there specific recommendations (e.g. an "SP" series document) from NIST
that cover the use of bulk encryption algorithms to encrypt keys?

> c. Existing IETF standards (such as Diameter EAP, RFC 4702) use TLS to
> protect keys.

> Given this, I would suggest that assertions made about NIST positions
> should be ruled out of scope, unless they come directly from
> representatives of NIST.

Or presumably from existing NIST publications...

I tend to think (individual opinion) that facilitating FIPS "certifiable"
implementations might be a reasonable requirement to be added into the
RADIUS Crypto-Agility Requirements draft, assuming the reference is to an
existing NIST publication.  I understand that these publications would
discuss algorithms and modes only, and not cover how to encapsulate a key in
a RADIUS attribute.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RADEXT WG re-charter
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- RE: RADEXT WG re-charter
  - From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
- Re: RADEXT WG re-charter
  - From: <Bernard_Aboba@hotmail.com>
- RE: RADEXT WG re-charter
  - From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
- RE: RADEXT WG re-charter
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>
- RE: RADEXT WG re-charter
  - From: "Glen Zorn" <glenzorn@comcast.net>
- RE: RADEXT WG re-charter
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>
- RE: RADEXT WG re-charter
  - From: "Glen Zorn" <glenzorn@comcast.net>
- RE: RADEXT WG re-charter
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>
- RE: RADEXT WG re-charter
  - From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
- RE: RADEXT WG re-charter
  - From: "David B. Nelson" <d.b.nelson@comcast.net>
- Re: RADEXT WG re-charter
  - From: "Bernard Aboba" <Bernard_Aboba@hotmail.com>

Prev by Date: Invitation to join IETF proxy mailing list
Next by Date: RE: Meaning of "backward compatible" WAS RE: Consensus Call on RADEXT WG re-charter
Previous by thread: Re: RADEXT WG re-charter
Next by thread: RE: RADEXT WG re-charter
Index(es):
- Date
- Thread