Re: [Cfrg] AAA versus A+AA was -> Re: how can CFRG improve cryptography in the Internet?
Paul Lambert <paul@marvell.com> Thu, 13 February 2014 17:27 UTC
Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 454791A0325 for <cfrg@ietfa.amsl.com>; Thu, 13 Feb 2014 09:27:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.967
X-Spam-Level:
X-Spam-Status: No, score=-0.967 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_12=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7FZwN1xIdMcg for <cfrg@ietfa.amsl.com>; Thu, 13 Feb 2014 09:27:03 -0800 (PST)
Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by ietfa.amsl.com (Postfix) with ESMTP id 043FA1A030B for <cfrg@irtf.org>; Thu, 13 Feb 2014 09:27:02 -0800 (PST)
Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s1DHPk7O006820; Thu, 13 Feb 2014 09:25:46 -0800
Received: from sc-owa04.marvell.com ([199.233.58.150]) by mx0a-0016f401.pphosted.com with ESMTP id 1j0raajtax-7 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 13 Feb 2014 09:25:46 -0800
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA04.marvell.com ([fe80::e56e:83a7:9eef:b5a1%16]) with mapi; Thu, 13 Feb 2014 09:25:44 -0800
From: Paul Lambert <paul@marvell.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, "mcgrew@cisco.com" <mcgrew@cisco.com>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>
Date: Thu, 13 Feb 2014 09:25:44 -0800
Thread-Topic: [Cfrg] AAA versus A+AA was -> Re: how can CFRG improve cryptography in the Internet?
Thread-Index: Ac8o4KB0uP7Yj4khQauSfjVKP0uBlw==
Message-ID: <CF223C02.2F455%paul@marvell.com>
References: <CF215DFE.2F3AE%paul@marvell.com> <E1WDoyA-0003Xo-JQ@login01.fos.auckland.ac.nz>
In-Reply-To: <E1WDoyA-0003Xo-JQ@login01.fos.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-13_05:2014-02-13, 2014-02-13, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402130092
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "nmav@gnutls.org" <nmav@gnutls.org>
Subject: Re: [Cfrg] AAA versus A+AA was -> Re: how can CFRG improve cryptography in the Internet?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2014 17:27:07 -0000
On 2/12/14, 9:36 PM, "Peter Gutmann" <pgut001@cs.auckland.ac.nz> wrote: >Paul Lambert <paul@marvell.com> writes: > >>I continue to wonder why we continue to build new systems on symmetric >>key >>based authentication techniques. Symmetric keys are the main reason we >>have >>a triple-A (AAA -> authentication, authorization and accounting) versus >>splitting up the functions and enabling a A+AA architecture where the >>authentication could be performed directly by the directly participating >>parties. > >The reason why it's a bad idea to do that with public-key is that, at >least in >the form of PKI, you start off doing the first A, and then you redo the >first >A, and then you make more changes to the first A, and then you release >first-A >version 3, and then you do some more of the first A, and 25-30 years >later >you're still redoing the first A without ever getting around to the other >two. >Symmetric-key RADIUS et al at least got around to doing all three right >from >the start. Yes Š good point, RADIUS could be relatively easily installed and then worked well enough. So the root of all security problems in the Internet is X.509 :-) We have architected security based on a subtly flawed overly complex authentication architecture. Paul > >Peter.
- [Cfrg] AAA versus A+AA was -> Re: how can CFRG im… Paul Lambert
- Re: [Cfrg] AAA versus A+AA was -> Re: how can CFR… Paul Lambert