IETF Logo Mail Archive

RE: RADEXT WG re-charter

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Fri, 18 April 2008 18:20 UTC

Return-Path: <owner-radiusext@ops.ietf.org>
X-Original-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Delivered-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 855AE3A6943 for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Fri, 18 Apr 2008 11:20:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.081
X-Spam-Level:
X-Spam-Status: No, score=-2.081 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QxgeI65uOzVs for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Fri, 18 Apr 2008 11:20:15 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DB8273A6E99 for <radext-archive-IeZ9sae2@lists.ietf.org>; Fri, 18 Apr 2008 11:20:14 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from <owner-radiusext@ops.ietf.org>) id 1Jmv7s-000NR0-Oe for radiusext-data@psg.com; Fri, 18 Apr 2008 18:15:56 +0000
Received: from [171.71.176.70] (helo=sj-iport-1.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.68 (FreeBSD)) (envelope-from <jsalowey@cisco.com>) id 1Jmv7p-000NQQ-9Z for radiusext@ops.ietf.org; Fri, 18 Apr 2008 18:15:55 +0000
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 18 Apr 2008 11:15:50 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m3IIFof1002992; Fri, 18 Apr 2008 11:15:50 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m3IIFouH016183; Fri, 18 Apr 2008 18:15:50 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 18 Apr 2008 11:15:49 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: RADEXT WG re-charter
Date: Fri, 18 Apr 2008 11:16:39 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE505A78497@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <f72b584be124b7e15a76ca38226e8829.squirrel@www.trepanning.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: RADEXT WG re-charter
Thread-Index: Acihexs9wuQMFAPzQfeXaNdQk2jAsQAAxCgw
References: <BLU137-W48C2DDC500B37865CBBD9F93F50@phx.gbl> <AC1CFD94F59A264488DC2BEC3E890DE50598D1E3@xmb-sjc-225.amer.cisco.com> <BLU137-DS39DAA210AA10B0CDB138F93EC0@phx.gbl> <AC1CFD94F59A264488DC2BEC3E890DE505A01761@xmb-sjc-225.amer.cisco.com> <010001c89c27$8a6ff5f0$1f0a0a0a@xpsuperdvd2> <001801c89e36$38856cf0$33da787c@arubanetworks.com> <019e01c89e3e$87835030$1f0a0a0a@xpsuperdvd2> <001d01c89e4f$53bed740$33da787c@arubanetworks.com> <01b201c89e55$0cab70b0$1f0a0a0a@xpsuperdvd2> <AC1CFD94F59A264488DC2BEC3E890DE505A020F0@xmb-sjc-225.amer.cisco.com> <f72b584be124b7e15a76ca38226e8829.squirrel@www.trepanning.net>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Dan Harkins <dharkins@lounge.org>
Cc: "David B. Nelson" <dnelson@elbrysnetworks.com>, radiusext@ops.ietf.org, Glen Zorn <glenzorn@comcast.net>, bernard_aboba@hotmail.com
X-OriginalArrivalTime: 18 Apr 2008 18:15:49.0994 (UTC) FILETIME=[3B20A4A0:01C8A180]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5317; t=1208542550; x=1209406550; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey@ci sco.com> |Subject:=20RE=3A=20RADEXT=20WG=20re-charter |Sender:=20; bh=7MB1kGtGzLUWAYTuqkbIeFQVlVNZl8dJO9bZ0jCs3yQ=; b=teRlrz/Ibgt2L4yeAA/Wb/KiDP3dUzxx5K6VjgQH8sLVwB0PQX1tTFHbWZ 4y35UxnpqiI7zLS2TCqmWqhXULwOSegKBDacT2C0biZSe7mrLj6RywYbrOzQ vpqwvuioD4oxDGjftLGdTQmpuTbM1FYY2GzXZMS3U7abuOeJ1mLRU=;
Authentication-Results: sj-dkim-1; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Sender: owner-radiusext@ops.ietf.org
Precedence: bulk

This is not a requirement for all deployments. If it is a requirement
then transport security presents a challenge, but it seems you could
encrypt the attributes that need to be separated, such as keys, with an
appropriate algorithm, such as SIV or the ever unpopular AES keywrap,
and then encapsulate the whole message including the encrypted
attributes with DTLS, IPSEC, etc. to protect additional attributes in
transit.  

So, I don't view these mechanisms as mutually exclusive. 

> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@lounge.org] 
> Sent: Friday, April 18, 2008 10:39 AM
> To: Joseph Salowey (jsalowey)
> Cc: David B. Nelson; radiusext@ops.ietf.org; Glen Zorn; 
> bernard_aboba@hotmail.com
> Subject: RE: RADEXT WG re-charter
> 
> 
>   Hi Joe,
> 
>   Pardon me for leaping so far back in this thread.
> 
>   Is it a requirement to support multiple pieces of data 
> encrypted with different keys in the same message? If it is 
> then apparently both DTLS and IPsec are out-of-the-running 
> since both those options secure the entire payload with one 
> set of keys. Is this your view?
> 
>   regards,
> 
>   Dan.
> 
> On Tue, April 15, 2008 1:07 pm, Joseph Salowey (jsalowey) wrote:
> > There are a few reasons why you would want to wrap keys separately 
> > from other data.  As you mentioned, the recommended 
> algorithms for key 
> > wrap may not be suitable for encrypting bulk data without special 
> > consideration and some bulk data encryption algorithms may not be 
> > recommended for key wrap without special consideration.  Another 
> > reason is that you may want the entity that handles the 
> keys and their 
> > context to be different from the entity that handles the 
> rest of the attributes.
> >
> >
> > Neither of these reasons forces you to have encryption tied 
> directly 
> > to the key attribute.  It is convenient since one is very often 
> > interested in encrypting keys, but you can achieve the same 
> thing with 
> > a generic encryption attribute if you take care.  You need 
> to support 
> > multiple pieces of data encrypted with different keys (key IDs, alg 
> > IDs, message boundaries, etc.) in the same message and you need to 
> > make sure that the various supported encryption algorithms are used 
> > correctly (type of cleartext, sufficient randomization, integrity 
> > protection, etc.).  These things don't necessarily happen 
> automatically or come for free.
> >
> > If you don't consider keys as part of the data you are wrapping for 
> > crypto agility, I'm not sure you will end up with a result that is 
> > very useful.
> >
> > Joe
> >> -----Original Message-----
> >> From: David B. Nelson [mailto:dnelson@elbrysnetworks.com]
> >> Sent: Monday, April 14, 2008 10:29 AM
> >> To: radiusext@ops.ietf.org; 'Glen Zorn'
> >> Cc: Joseph Salowey (jsalowey); Bernard_Aboba@hotmail.com
> >> Subject: RE: RADEXT WG re-charter
> >>
> >> Glen Zorn writes...
> >>
> >> > 'Frankly, my dear, I don't give a damn.'
> >>
> >> Cute...
> >>
> >> > It's been nearly 4 years (!) since 
> draft-zorn-radius-keywrap-00.txt 
> >> > was posted ... for at least 3 years there have been at 2 
> (or more) 
> >> > independent, interoperable implementations that were 
> FIPS-certified.
> >>
> >> Given that there are implementations of this key-wrap scheme, 
> >> presumably using VSAs, it might be well to publish an Information 
> >> RFC, describing the actual implementations, using those VSAs.
> >>
> >> > But wait!  Let's spend a little (lot) more time 
> conjecturing about 
> >> > another way, a way to solve "the general problem" (AKA 
> "boiling the 
> >> > ocean" if it's a proposal we don't care for).  Well, gosh,
> >> no thanks,
> >> > but you guys go ahead & have fun!
> >>
> >> RADEXT has a chartered work item to address crypto-agility.
> >> We have requirements for this wok, and we now have an ID capturing 
> >> those requirements.  We don't have a requirement to specifically 
> >> address key-wrap, as a separate problem.  My questions is whether 
> >> RADEXT really needs to create two drafts to satisfy the 
> >> crypto-agility work item, one for key-wrap and one for general 
> >> purpose encrypted attributes.  The fact that solutions, 
> and drafts, 
> >> exist to address key-wrap and encrypted attributes separately is a 
> >> point in favor of retaining the separation.  I'm just questioning 
> >> whether that's a sufficient basis on which to decide that we need 
> >> such separation of concerns.
> >>
> >> If the consensus us of the WG is that we should proceed 
> with separate 
> >> documents for key-wrap and general crypto-agility, we can propose 
> >> doing that in our revised charter.  It would be nice, however, to 
> >> have a reason beyond the existence of (4 year old) drafts that are 
> >> structured that way.
> >>
> >>
> >>
> >
> > --
> > to unsubscribe send a message to 
> radiusext-request@ops.ietf.org with 
> > the word 'unsubscribe' in a single line as the message text body.
> > archive: <http://psg.com/lists/radiusext/>
> >
> 
> 
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

v2.23.0 | Report a Bug | By Email