[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue: realm validation in draft-ietf-radext-digest-auth

To: <radiusext@ops.ietf.org>
Subject: Issue: realm validation in draft-ietf-radext-digest-auth
From: "Salowey, Joe" <jsalowey@cisco.com>
Date: Thu, 17 Mar 2005 16:08:17 -0800

Realm validation
Submitter name: Joe Salowey	
Submitter email address: jsalowey@cisco.com 
Date first submitted: 3/17/2005
Reference: 
Document: Digest
Comment type: Technical
Priority: '1' Should fix
Section: 3.2 and 8 (security considerations) 
Rationale/Explanation of issue:

Is it allowed for a RADIUS server to support more than one realm?  If it
is then it seems that the RADIUS server should validate that the RADIUS
client is authorized to act in the realm of the request.  This is
especially true when returning a Digest-HA1 attribute. If it doesn't
then it seems that a compromised RADIUS client may have a route to
compromise other realms or impersonate a realm.  The same may also be
true of the digest URI if it is involved in the server calculations, but
this may not be as meaningful to the server.  

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: Comments on draft-carroll-dynmobileip-cdma-04.txt
Next by Date: FW: [Pana] RADIUS Access-Reject and NAP/ISP authz
Previous by thread: Interoperability between RADIUS Digest Auth and SASL Digest Auth
Next by thread: FW: [Pana] RADIUS Access-Reject and NAP/ISP authz
Index(es):
- Date
- Thread