RE: Progress on RADIUS Extension for Digest Authentication

[Avi Lior <avi@bridgewatersystems.com>]

Hi Bernard,

Regarding Issue[7] The need to use Message Authenticator.

I think we all agreed that a message authenticator is needed here.  
I think the debate was whether the Message-Autheticator will suffice here.

You suggested that maybe we introduce a new attribute.  But as you pointed
out that while MD5 was found to be vunerable HMAC-MD5 was not. There was
lots of debate on this issue.

I don't think we would solve this issue in the near future.  This is
because, judging from the emails I don't think we would get consensus even
if we created a new message authenticator based on HMAC-SHA1.

So my suggestion is to use Message-Authenticator(80) which is based
on(HMAC-MD5). Which is not broken and proceed with the work.  Not having
anything is clearly bad.
 

> -----Original Message-----
> From: Bernard Aboba [mailto:aboba@internaut.com] 
> Sent: Thursday, November 18, 2004 1:16 PM
> To: radiusext@ops.ietf.org
> Subject: Progress on RADIUS Extension for Digest Authentication
> 
> 
> The specification "RADIUS Extension for Digest 
> Authentication" has completed RADEXT WG Last call.  Issues 
> filed against the specification are available here:
> 
> http://www.drizzle.com/~aboba/RADEXT/
> 
> The latest version of the specification is available here: 
> http://www.ietf.org/internet-drafts/draft-sterman-aaa-sip-04.txt
> 
> Further progress on this document requires that we verify 
> that changes made in the -04 document represent RADEXT WG 
> consensus. Since detailed text changes were not posted to the 
> RADEXT WG mailing list prior to the submission of the -04 
> document, it is not possible to determine whether RADEXT WG 
> consensus exists on the changes based on examination of the 
> mailing list discussion.  It is therefore not possible to 
> move forward on this document until this issue is cleared up.
> 
> In order to make progress, we have made a request that Issue 
> submitters and other WG participants examine the changes in 
> -04 and send email to the WG list, stating whether the 
> changes are acceptable.  So far, the mail received indicates 
> the following:
> 
> Issue 4: No mail received. WG consensus not verified.
> Issue 5: No mail received, Diameter draft needs to be updated before
>          determining whether the resolutions can work. WG consensus
>          not verified.
> Issue 6: No mail received. WG consensus not verified.
> Issue 7: Mail received, indicates WG consensus *against* the proposed
>          resolution. No consensus verified.
> Issue 8: No mail received, security issues raised at IETF 60. No
>          consensus verified.
> Issue 11: No mail received. No consensus verified.
> Issue 12: No mail received. No censensus verified.
> 
> Given the lack of confirming email, we are at present unable 
> to confirm whether the changes made in -04 represent WG 
> consensus, and in one case (Issue 7) it appears that the 
> proposed resolution has been rejected by the RADEXT WG.
> 
> In order to enable the WG to demonstrate sufficient interest, 
> we are going to extend the Request for Comment on the 
> proposed resolutions until
> December 6, 2004.   If you have submitted an Issue on the 
> document, and
> believe it has been resolved, please send mail with "Issue X: 
> Resolved" in the subject line, where X is the Issue number of 
> your issue.
> 
> If you have additional comments on the specification, or wish 
> to contest the resolution of an issue, please send email to 
> the RADEXT WG mailing list (radiusext@ops.ietf.org) in the 
> format described on the RADEXT WG mailing list:
> 
> http://www.drizzle.com/~aboba/RADEXT/
> 
> --
> to unsubscribe send a message to 
> radiusext-request@ops.ietf.org with the word 'unsubscribe' in 
> a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>