[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[radext] #95: Section 4.2
#95: Section 4.2
Section 4.2 is not clear what kind of public key credentials are to be
supported (e.g. X.509 certificates, public keys without certs, etc.).
Also, it is not clear whether dynamic discovery is a normative requirement
or whether another discovery mechanism could be used (such as manual
configuration).
Proposed change:
Limit key scope
In order to enable a NAS and RADIUS server to exchange confidential
information such as keying material without disclosure to third
parties, it is RECOMMENDED that a RADIUS crypto-agility solution
support X.509 certificates for authentication between the NAS and
RADIUS server. Manual configuration as well as automated discovery
mechanisms such as NAI-based Dynamic Peer Discovery [RADYN] can be
used to enable direct NAS-RADIUS server communications. Support
for end-to-end confidentiality of RADIUS attributes is not
required.
For compatibility with existing operations, RADIUS crypto-agility
solutions SHOULD also support pre-shared key credentials. However,
support for direct communications between the NAS and RADIUS server
is not required when pre-shared key credentials are used.
--
---------------------------------------+------------------------------------
Reporter: bernard_aboba@â | Owner:
Type: defect | Status: new
Priority: major | Milestone: milestone1
Component: Crypto-Agility | Version: 1.0
Severity: In WG Last Call | Keywords:
---------------------------------------+------------------------------------
Ticket URL: <http://trac.tools.ietf.org/wg/radext/trac/ticket/95>
radext <http://tools.ietf.org/radext/>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>