RE: [eap] RE: [Isms] RADIUS is not a trusted third party

["Nelson, David" <dnelson@enterasys.com>]

John Vollbrecht writes ... [mailto:jrv@umich.edu]
> The question I am wondering about is whether the RADIUS server could
be
> a trusted third party if it is directly connected to the NAS.  In that
> case it has credentials with all parties.  However the credentials are
> of quite different form - I am wondering if the form of credentials or
> the relationship between the credentials makes a difference in whether
> it can act effectively as a trusted third party.  My first guess  is
> that it could (especially if RADIUS had stronger hashing) but I am not
> sure.
> What is your thought?

I suspect there are cases in which a single (non-proxy) RADIUS server
could act as a trusted third party, but that would depend on the extent
to which the RADIUS server and the EAP server were considered a single
entity.  I think the issue is whether all parties can [directly]
validate the bindings of authenticated identity to keys. When one set of
bindings is created via the EAP session between the EAP peer and EAP
server and another set of bindings is created via the RADIUS
authentication and authorization exchanges between the RADIUS server and
the NAS, there is certainly the opportunity for the parties to have
disjoint sets of key bindings.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>