[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Crypto-agility requirements: Backward Compatibility (from Issue 303)



Pasi's suggested text seems reasonable to me.  Anyone object to making the suggested change?


From: bernard_aboba@hotmail.com
To: radiusext@ops.ietf.org
Subject: Crypto-agility requirements: Backward Compatibility (from Issue 303)
Date: Sun, 28 Jun 2009 14:04:56 -0700


In Issue 303, Pasi Eronen said:

"
Backward compatibility/negotiation:

Section 4.3 says "Solutions to the problem MUST demonstrate backward
compatibility with existing RADIUS implementations. That is, a
crypto-agility solution needs to be able to send packets that a legacy
RADIUS client or server will receive and process successfully.
Similarly, a crypto-agility solution needs to be capable of receiving
and processing packets from a legacy RADIUS client or server."

The intent of this paragraph is probably right, but currently, it's
somewhat open to multiple interpretations. Would something like this
capture the intent?

"Solutions to the problem MUST demonstrate backward compatibility with
existing RADIUS implementations. That is, an implementation that
supports both the crypto-agility solution and legacy mechanisms MUST
be able to talk with legacy RADIUS clients and servers (using the
legacy mechanisms). Acceptable solutions to determining which set of
mechanisms is used (with a particular peer) include some kind of
negotiation, and manual configuration."

Note that *not* meeting this requirement would actually be quite
difficult... if the intent of this paragraph was to require some kind
of negotiation (interpreted loosely -- anything more automatic than
manual configuration), the text should say so.

"




i'm EMAILING FOR THE GREATER GOOD
Join me