[radext] PAKEs and secure RADIUS

Bernard Aboba <bernard.aboba@gmail.com> Tue, 19 September 2023 22:04 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A458C151990 for <radext@ietfa.amsl.com>; Tue, 19 Sep 2023 15:04:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FfBZZ5X5_AaO for <radext@ietfa.amsl.com>; Tue, 19 Sep 2023 15:04:29 -0700 (PDT)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D902C14CE53 for <radext@ietf.org>; Tue, 19 Sep 2023 15:04:29 -0700 (PDT)
Received: by mail-pg1-x530.google.com with SMTP id 41be03b00d2f7-578cc95db68so443629a12.1 for <radext@ietf.org>; Tue, 19 Sep 2023 15:04:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695161068; x=1695765868; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=pDxDsx1eWazAsKwekH28drOIm0lbIzFTHRtPzxy3Eag=; b=dp7Gf4BNDepnvIupMGlCkENpQUcmA4frIfpvBdq/SNx+DYoea0TovAuukVM6ZXl8Oo hNSeiTBRjWHE5BfmDDHfng683QPj37n6TrEI/8PMdIraMVWKvZn40rJtPYbQu5pLPToH 492S+Ytzjag5WU/6LO/4VB3tSu5rx7ZZKdemQV+5W3d2KQ1Ia/4GPKOPxYsZQK1fGA7p dUagvfadUucAN3feF+WtcN2v3psZIdktxA4GlShj10TMmMzI1njNGQTJ71sD+zWuyWDr nOxmALOirTa0LK0mTYUQNcO5jYnXm1yLR1NdrFxzEWReSyY06XotFOczimcZGfIw/rwx Ti2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695161068; x=1695765868; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=pDxDsx1eWazAsKwekH28drOIm0lbIzFTHRtPzxy3Eag=; b=OeBDCXasBPEKXx4kzhH6kwPfHLLkt92eozPEiX4I65WFx+sRuBtbo1XPYTPyWlvSxr 0aqaYXpIq/3D5IUTRdklE1uWnSH+ryI6oOZxraYdK2uYJmpZUd3aumOfJ67nh3+OI15F asPnC058K2CPZtupfDeE3jx5l1k6cxgRWb91qi1HDwDkli2T1hCiske4lLZC2tqnKIa2 599ploAc6/V05oMA8dflGJLrKDFXQ6wr5mrRfj5UB4qF/FUOrb8vCzFGcYUMtAVlPgi1 8jFVI76Y1PLfM4VBjSE3hrFOLF563mfjJOMNMwiFKX9Wna0MG8mF5L6Y+OOhYZkIJlXG ESkQ==
X-Gm-Message-State: AOJu0YzAJMzHAVIrlB22CXqH5D8zGYHfTPZslOrS8aBx80mZoMf/oLCg a8og8Rge8NS/aOGCRPEuahxx016KCU7aiXgmjURSjaC1s30=
X-Google-Smtp-Source: AGHT+IF6O3y84l/DaU95uIEVoV7vJZocOACH3/aXR4DvSHISsggThv06RIfiB3RVRGrQ1xzdQZ8gvhSgJk/8V3J+sd8=
X-Received: by 2002:a17:90a:b78e:b0:26d:3d86:9a8e with SMTP id m14-20020a17090ab78e00b0026d3d869a8emr1066474pjr.25.1695161068098; Tue, 19 Sep 2023 15:04:28 -0700 (PDT)
MIME-Version: 1.0
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Tue, 19 Sep 2023 15:04:18 -0700
Message-ID: <CAOW+2dtGY8d7rouVh2-o0b7Xbp9HZGWkhZpvt3EBEx9=SiQgnw@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004d1b360605bd71b2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/5egG2vLA1C2-aoR9C8L8soQ4TW0>
Subject: [radext] PAKEs and secure RADIUS
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2023 22:04:29 -0000

[Changing the subject as Alan suggested]

Alan said:

"OK, but that's changing the subject.  If you want to write a document on
using SRP with RADIUS/TLS, that's completely separate from TLS-PSK."

[BA] Agreed.  But before we consider a PAKE document, I'd like to
understand if it would address the credential invalidation issues we've
been discussing.  For example, we have been talking about SRP in TLS 1.2,
OPAQUE in TLS 1.3 and maybe some (post-quantum) algorithm in TLS 1.4.

If the goal is to provide a stable roadmap for credentials in secure
RADIUS, that seems like more of a "long and winding road" than a straight
path that could be implemented and tested as part of a secure RADIUS
certification program.