IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Bernard Aboba <bernard.aboba@gmail.com> Tue, 22 November 2022 19:06 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F544C14F73A for <radext@ietfa.amsl.com>; Tue, 22 Nov 2022 11:06:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ROgph2RtjxS9 for <radext@ietfa.amsl.com>; Tue, 22 Nov 2022 11:06:17 -0800 (PST)
Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45278C14F735 for <radext@ietf.org>; Tue, 22 Nov 2022 11:06:17 -0800 (PST)
Received: by mail-pg1-x52d.google.com with SMTP id 136so14883913pga.1 for <radext@ietf.org>; Tue, 22 Nov 2022 11:06:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=CKL3PuTyOukf0ejlyRIOauKs4dWkmeKcTnJ1obnTmrk=; b=DqwiB2vFvuxL1UE88LLF6LnJP0uRsEvaauIqKf1nGLUNFESgY4GHHgO4c1a3O2B8E6 KEaMtTONQo7Nec1Lw51qeBdwdGYSRPbPNsJxfgT2SVWdxJ4jMjTaArGwFLVDPHbmKnrt iFsbzZShbXY00aEvbTm0K/dK09ATNRD6XC2b/SJJyOYOPiWmuifP6OI0t67pHRL2Bbpm SkkTXkfgXvGn+T0XpEB6CpMaadEoZ9K8/aZI+fqJRCRfwrkpRqb5sTGS5fsi8Z4ofF0R 3xlJLHTyF6ZAqWNF0WDdZsBvgNJE04LdsnL9alPVJNUnjOvm1U+gWCWZ8EwW2AGdTqHB nIag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CKL3PuTyOukf0ejlyRIOauKs4dWkmeKcTnJ1obnTmrk=; b=jl8e0HG4ARLaBE9hj/+TYfc5gaDPoRgNTonmIjuCtSDRxZXEp+xq3GHT5PJTfcUb8p 73ZRJMkz+FGP8P6JrmOeR0ZLZOIuMfjI2CfwLfqVSPmP0YXPZo8l5WkIVnME4jjt1RLZ Zh10+9fEA6AUkklxLSteQgMn2KPY+dMUIjASua0+LcXnqTLQJWe9YTDRdDPsGNvOCx46 D+8tK8aqj5ZWUTPii4cVpLGoyuU/JALGx/SN7SWGiSue0qJUxWOzbbVgrTYf6gGGwzCX NVuUJvw1qm6jLAF/TVxWBQHrtMc/MncBlkeig7EBxkfbbCj3Wh1LiBSpQ4I6k8LUil6B xyRQ==
X-Gm-Message-State: ANoB5pkAqMhSI9rlxIAJaK20MDL+yHZFbFpE15MMJyydp1omrOEIJJ+K huKEixIJYTI0pgaIV2nvCP36u89kmyo=
X-Google-Smtp-Source: AA0mqf5/RroApkObNzR9exLtOstIbgeIGhKdjoAl2jUooYF5LrdecbOWeTTCKkthY+43iWdPo/So5g==
X-Received: by 2002:a62:2702:0:b0:572:8766:598b with SMTP id n2-20020a622702000000b005728766598bmr5070868pfn.21.1669143975804; Tue, 22 Nov 2022 11:06:15 -0800 (PST)
Received: from smtpclient.apple (mobile-166-176-186-215.mycingular.net. [166.176.186.215]) by smtp.gmail.com with ESMTPSA id i9-20020a635409000000b00476d1385265sm9452391pgb.25.2022.11.22.11.06.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 22 Nov 2022 11:06:15 -0800 (PST)
From: Bernard Aboba <bernard.aboba@gmail.com>
X-Google-Original-From: Bernard Aboba <Bernard.Aboba@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Date: Tue, 22 Nov 2022 11:06:02 -0800
Message-Id: <329FE6EA-C1E6-4E16-8D0C-A68C32B67FB9@gmail.com>
References: <4ce6d292-bb34-5dd7-7b8b-d43c282658f1@iea-software.com>
Cc: radext@ietf.org
In-Reply-To: <4ce6d292-bb34-5dd7-7b8b-d43c282658f1@iea-software.com>
To: Peter Deacon <peterd@iea-software.com>
X-Mailer: iPhone Mail (20B101)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/0_Sh3ssEI3QTZBdzcf85iJxtDsM>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2022 19:06:22 -0000

On Nov 22, 2022, at 08:56, Peter Deacon <peterd@iea-software.com> wrote:
> 
> It seems to me given the list examples of non-approved algorithms for non-security that SRADIUS is not necessary to comply with FIPS requirements.  With regards to RADIUS over TLS MD5 use is "redundant" and security is provided by an approved cryptographic algorithm.
> 
> regards,
> Peter

+1 This is how RADIUS over IPsec was deployed to meet FIPS-140 requirements. If a known shared secret is used, and MD5 is turned off for user auth and attribute hidimg then MD5 serves no security purpose.

v2.23.0 | Report a Bug | By Email