[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RADIUS Attribute Hiding and radext-digest-auth

To: radiusext@ops.ietf.org
Subject: RADIUS Attribute Hiding and radext-digest-auth
From: "Beck01, Wolfgang" <BeckW@t-systems.com>
Date: Wed, 5 Jan 2005 16:42:49 +0100

Hi,

so we have some ways to encrypt individual RADIUS attributes. When authorizing
sips or https connections, at least RADIUS attributes revealing the identity must
be encrypted. In radext-digest-auth this applies to the following attributes:
- User-Name
- Digest-Username
- Digest-URI
- SIP-AOR [not yet in the draft]

Digest-HA1 would profit from encryption, too.

We can re-define Digest-Username, Digest-URI and SIP-AOR to use one of the
encryption algorithms Bernard summarized in a previous post. We can't do
this for User-Name, a new Encrypted-User-Name attribute would be necessary.

Message-Authenticator does not help here.

Should I change the document to use the attribute hiding mechanism (Tunnel-Password)
described in RfC 2868, despite its weaknesses?

Or is making IPSec mandatory in the relevant cases acceptable (as it is in
the current version)?


Wolfgang

--
T-Systems
Internet Platforms
+49 6151 937 2863
Am Kavalleriesand 3
64295 Darmstadt
Germany 





--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: Possible issue for clarification -- RADIUS Accounting
Next by Date: RE: Possible issue for clarification -- RADIUS Accounting
Previous by thread: Possible issue for clarification -- RADIUS Accounting
Next by thread: RE: RADIUS Attribute Hiding and radext-digest-auth
Index(es):
- Date
- Thread