[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Review of draft-zorn-radius-keywrap-07.txt

To: "Glen Zorn (gwz)" <gwz@cisco.com>
Subject: RE: Review of draft-zorn-radius-keywrap-07.txt
From: Bernard Aboba <aboba@internaut.com>
Date: Mon, 29 Aug 2005 16:53:45 -0700 (PDT)
Cc: "Nelson, David" <dnelson@enterasys.com>, radiusext@ops.ietf.org
In-reply-to: <4C0FAAC489C8B74F96BEAD85EAEB26259E0B59@xmb-sjc-215.amer.cisco.com>
References: <4C0FAAC489C8B74F96BEAD85EAEB26259E0B59@xmb-sjc-215.amer.cisco.com>

> >> In speaking with Russ Housely on the key-wrap issues, Russ indicated
> >> that it would need to be on an end-to-end basis.
> 
> Except that that's not how RADIUS works...

Right.  RADIUS security is between a RADIUS client and server.  There are 
no other entities involved. 

> Under that interpretation, though, 
> I don't think that Kerberos would satisfy the criteria, either: a 
> Kerberos server has knowledge of lots of keys that are used by various 
> parties to protect things that are none of the server's business 
> (e.g., telnet data).  With Kerberos, we get around that little problem 
> by declaring the Kerberos server to be unconditionally trusted.

Right.  It seems to me that the criteria may be too strict.  I'm not sure 
why a Kerberos server can be "unconditionally trusted" but a RADIUS server 
would not be. 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: Review of draft-zorn-radius-keywrap-07.txt
  - From: "Glen Zorn \(gwz\)" <gwz@cisco.com>

Prev by Date: RE: Review of draft-zorn-radius-keywrap-07.txt
Next by Date: RE: Review of draft-ietf-geopriv-radius-lo-04.txt
Previous by thread: RE: Review of draft-zorn-radius-keywrap-07.txt
Next by thread: RE: Review of draft-zorn-radius-keywrap-07.txt
Index(es):
- Date
- Thread