IETF Logo Mail Archive

RE: RADEXT WG re-charter

"Dan Harkins" <dharkins@lounge.org> Fri, 18 April 2008 17:44 UTC

Return-Path: <owner-radiusext@ops.ietf.org>
X-Original-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Delivered-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 043DD3A6A74 for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Fri, 18 Apr 2008 10:44:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.683
X-Spam-Level: *
X-Spam-Status: No, score=1.683 tagged_above=-999 required=5 tests=[AWL=-0.628, BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GOlHpfmcyqIV for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Fri, 18 Apr 2008 10:44:40 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 222CE3A6C58 for <radext-archive-IeZ9sae2@lists.ietf.org>; Fri, 18 Apr 2008 10:44:40 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from <owner-radiusext@ops.ietf.org>) id 1JmuYH-000HRc-JJ for radiusext-data@psg.com; Fri, 18 Apr 2008 17:39:09 +0000
Received: from [69.55.226.174] (helo=colo.trepanning.net) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from <dharkins@lounge.org>) id 1JmuY6-000HPe-Hd for radiusext@ops.ietf.org; Fri, 18 Apr 2008 17:39:04 +0000
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 26ACC10224074; Fri, 18 Apr 2008 10:38:58 -0700 (PDT)
Received: from 216.31.249.246 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Fri, 18 Apr 2008 10:38:58 -0700 (PDT)
Message-ID: <f72b584be124b7e15a76ca38226e8829.squirrel@www.trepanning.net>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE505A020F0@xmb-sjc-225.amer.cisco.com>
References: <BLU137-W48C2DDC500B37865CBBD9F93F50@phx.gbl> <AC1CFD94F59A264488DC2BEC3E890DE50598D1E3@xmb-sjc-225.amer.cisco.com> <BLU137-DS39DAA210AA10B0CDB138F93EC0@phx.gbl> <AC1CFD94F59A264488DC2BEC3E890DE505A01761@xmb-sjc-225.amer.cisco.com> <010001c89c27$8a6ff5f0$1f0a0a0a@xpsuperdvd2> <001801c89e36$38856cf0$33da787c@arubanetworks.com> <019e01c89e3e$87835030$1f0a0a0a@xpsuperdvd2> <001d01c89e4f$53bed740$33da787c@arubanetworks.com> <01b201c89e55$0cab70b0$1f0a0a0a@xpsuperdvd2> <AC1CFD94F59A264488DC2BEC3E890DE505A020F0@xmb-sjc-225.amer.cisco.com>
Date: Fri, 18 Apr 2008 10:38:58 -0700
Subject: RE: RADEXT WG re-charter
From: Dan Harkins <dharkins@lounge.org>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Cc: "David B. Nelson" <dnelson@elbrysnetworks.com>, radiusext@ops.ietf.org, Glen Zorn <glenzorn@comcast.net>, bernard_aboba@hotmail.com
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Sender: owner-radiusext@ops.ietf.org
Precedence: bulk

  Hi Joe,

  Pardon me for leaping so far back in this thread.

  Is it a requirement to support multiple pieces of data encrypted with
different keys in the same message? If it is then apparently both DTLS
and IPsec are out-of-the-running since both those options secure the
entire payload with one set of keys. Is this your view?

  regards,

  Dan.

On Tue, April 15, 2008 1:07 pm, Joseph Salowey (jsalowey) wrote:
> There are a few reasons why you would want to wrap keys separately from
> other data.  As you mentioned, the recommended algorithms for key wrap
> may not be suitable for encrypting bulk data without special
> consideration and some bulk data encryption algorithms may not be
> recommended for key wrap without special consideration.  Another reason
> is that you may want the entity that handles the keys and their context
> to be different from the entity that handles the rest of the attributes.
>
>
> Neither of these reasons forces you to have encryption tied directly to
> the key attribute.  It is convenient since one is very often interested
> in encrypting keys, but you can achieve the same thing with a generic
> encryption attribute if you take care.  You need to support multiple
> pieces of data encrypted with different keys (key IDs, alg IDs, message
> boundaries, etc.) in the same message and you need to make sure that the
> various supported encryption algorithms are used correctly (type of
> cleartext, sufficient randomization, integrity protection, etc.).  These
> things don't necessarily happen automatically or come for free.
>
> If you don't consider keys as part of the data you are wrapping for
> crypto agility, I'm not sure you will end up with a result that is very
> useful.
>
> Joe
>> -----Original Message-----
>> From: David B. Nelson [mailto:dnelson@elbrysnetworks.com]
>> Sent: Monday, April 14, 2008 10:29 AM
>> To: radiusext@ops.ietf.org; 'Glen Zorn'
>> Cc: Joseph Salowey (jsalowey); Bernard_Aboba@hotmail.com
>> Subject: RE: RADEXT WG re-charter
>>
>> Glen Zorn writes...
>>
>> > 'Frankly, my dear, I don't give a damn.'
>>
>> Cute...
>>
>> > It's been nearly 4 years (!) since draft-zorn-radius-keywrap-00.txt
>> > was posted ... for at least 3 years there have been at 2 (or more)
>> > independent, interoperable implementations that were FIPS-certified.
>>
>> Given that there are implementations of this key-wrap scheme,
>> presumably using VSAs, it might be well to publish an
>> Information RFC, describing the actual implementations, using
>> those VSAs.
>>
>> > But wait!  Let's spend a little (lot) more time conjecturing about
>> > another way, a way to solve "the general problem" (AKA "boiling the
>> > ocean" if it's a proposal we don't care for).  Well, gosh,
>> no thanks,
>> > but you guys go ahead & have fun!
>>
>> RADEXT has a chartered work item to address crypto-agility.
>> We have requirements for this wok, and we now have an ID
>> capturing those requirements.  We don't have a requirement to
>> specifically address key-wrap, as a separate problem.  My
>> questions is whether RADEXT really needs to create two drafts
>> to satisfy the crypto-agility work item, one for key-wrap and
>> one for general purpose encrypted attributes.  The fact that
>> solutions, and drafts, exist to address key-wrap and
>> encrypted attributes separately is a point in favor of
>> retaining the separation.  I'm just questioning whether
>> that's a sufficient basis on which to decide that we need
>> such separation of concerns.
>>
>> If the consensus us of the WG is that we should proceed with
>> separate documents for key-wrap and general crypto-agility,
>> we can propose doing that in our revised charter.  It would
>> be nice, however, to have a reason beyond the existence of (4
>> year old) drafts that are structured that way.
>>
>>
>>
>
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
>



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

v2.23.0 | Report a Bug | By Email