IETF Logo Mail Archive

RE: RADEXT WG re-charter

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Tue, 15 April 2008 20:13 UTC

Return-Path: <owner-radiusext@ops.ietf.org>
X-Original-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Delivered-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A64073A6825 for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Tue, 15 Apr 2008 13:13:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.211
X-Spam-Level:
X-Spam-Status: No, score=-5.211 tagged_above=-999 required=5 tests=[AWL=-0.716, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KzPmUHhfttEX for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Tue, 15 Apr 2008 13:13:23 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 41EDB3A6A87 for <radext-archive-IeZ9sae2@lists.ietf.org>; Tue, 15 Apr 2008 13:13:23 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from <owner-radiusext@ops.ietf.org>) id 1JlrQM-000Hbw-SI for radiusext-data@psg.com; Tue, 15 Apr 2008 20:06:38 +0000
Received: from [171.71.176.117] (helo=sj-iport-6.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.68 (FreeBSD)) (envelope-from <jsalowey@cisco.com>) id 1JlrQJ-000HbP-Na for radiusext@ops.ietf.org; Tue, 15 Apr 2008 20:06:37 +0000
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-6.cisco.com with ESMTP; 15 Apr 2008 13:06:35 -0700
Received: from sj-core-3.cisco.com (sj-core-3.cisco.com [171.68.223.137]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id m3FK6Ymv016413; Tue, 15 Apr 2008 13:06:34 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-3.cisco.com (8.13.8/8.13.8) with ESMTP id m3FK6YTk008402; Tue, 15 Apr 2008 20:06:34 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 15 Apr 2008 13:06:34 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: RADEXT WG re-charter
Date: Tue, 15 Apr 2008 13:07:24 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE505A020F0@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <01b201c89e55$0cab70b0$1f0a0a0a@xpsuperdvd2>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: RADEXT WG re-charter
Thread-Index: AcibKmpZgzQ6RN9kSDumURarkD8Q7QA1pQQAAAk0NnAARmUsYAA/TUJQAAOwYFAAAers8AAWnCbA
References: <BLU137-W48C2DDC500B37865CBBD9F93F50@phx.gbl> <AC1CFD94F59A264488DC2BEC3E890DE50598D1E3@xmb-sjc-225.amer.cisco.com> <BLU137-DS39DAA210AA10B0CDB138F93EC0@phx.gbl> <AC1CFD94F59A264488DC2BEC3E890DE505A01761@xmb-sjc-225.amer.cisco.com> <010001c89c27$8a6ff5f0$1f0a0a0a@xpsuperdvd2> <001801c89e36$38856cf0$33da787c@arubanetworks.com> <019e01c89e3e$87835030$1f0a0a0a@xpsuperdvd2> <001d01c89e4f$53bed740$33da787c@arubanetworks.com> <01b201c89e55$0cab70b0$1f0a0a0a@xpsuperdvd2>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: "David B. Nelson" <dnelson@elbrysnetworks.com>, radiusext@ops.ietf.org, Glen Zorn <glenzorn@comcast.net>
Cc: Bernard_Aboba@hotmail.com
X-OriginalArrivalTime: 15 Apr 2008 20:06:34.0466 (UTC) FILETIME=[344D5C20:01C89F34]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3504; t=1208289994; x=1209153994; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey@ci sco.com> |Subject:=20RE=3A=20RADEXT=20WG=20re-charter |Sender:=20; bh=rnyo5RQGguxc8LihqxMd1hh6c5boYtNtk7MTNty7Vsc=; b=DOVeoyPa1Bp+QmEbclY32V+WyiJGTlG/89J1aR/ro2P0RpseyhfgIz3Gw+ BBH1mCL3z8sgB52Su877D/kt1fYrgHcT0FCbA4QqxI9vE7i2L40/cT2PU7Ju YfZM6iEr09;
Authentication-Results: sj-dkim-4; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Sender: owner-radiusext@ops.ietf.org
Precedence: bulk

There are a few reasons why you would want to wrap keys separately from
other data.  As you mentioned, the recommended algorithms for key wrap
may not be suitable for encrypting bulk data without special
consideration and some bulk data encryption algorithms may not be
recommended for key wrap without special consideration.  Another reason
is that you may want the entity that handles the keys and their context
to be different from the entity that handles the rest of the attributes.


Neither of these reasons forces you to have encryption tied directly to
the key attribute.  It is convenient since one is very often interested
in encrypting keys, but you can achieve the same thing with a generic
encryption attribute if you take care.  You need to support multiple
pieces of data encrypted with different keys (key IDs, alg IDs, message
boundaries, etc.) in the same message and you need to make sure that the
various supported encryption algorithms are used correctly (type of
cleartext, sufficient randomization, integrity protection, etc.).  These
things don't necessarily happen automatically or come for free. 

If you don't consider keys as part of the data you are wrapping for
crypto agility, I'm not sure you will end up with a result that is very
useful.  

Joe 
> -----Original Message-----
> From: David B. Nelson [mailto:dnelson@elbrysnetworks.com] 
> Sent: Monday, April 14, 2008 10:29 AM
> To: radiusext@ops.ietf.org; 'Glen Zorn'
> Cc: Joseph Salowey (jsalowey); Bernard_Aboba@hotmail.com
> Subject: RE: RADEXT WG re-charter
> 
> Glen Zorn writes...
> 
> > 'Frankly, my dear, I don't give a damn.' 
> 
> Cute...
> 
> > It's been nearly 4 years (!) since draft-zorn-radius-keywrap-00.txt 
> > was posted ... for at least 3 years there have been at 2 (or more) 
> > independent, interoperable implementations that were FIPS-certified.
> 
> Given that there are implementations of this key-wrap scheme, 
> presumably using VSAs, it might be well to publish an 
> Information RFC, describing the actual implementations, using 
> those VSAs.
> 
> > But wait!  Let's spend a little (lot) more time conjecturing about 
> > another way, a way to solve "the general problem" (AKA "boiling the 
> > ocean" if it's a proposal we don't care for).  Well, gosh, 
> no thanks, 
> > but you guys go ahead & have fun!
> 
> RADEXT has a chartered work item to address crypto-agility.  
> We have requirements for this wok, and we now have an ID 
> capturing those requirements.  We don't have a requirement to 
> specifically address key-wrap, as a separate problem.  My 
> questions is whether RADEXT really needs to create two drafts 
> to satisfy the crypto-agility work item, one for key-wrap and 
> one for general purpose encrypted attributes.  The fact that 
> solutions, and drafts, exist to address key-wrap and 
> encrypted attributes separately is a point in favor of 
> retaining the separation.  I'm just questioning whether 
> that's a sufficient basis on which to decide that we need 
> such separation of concerns.
> 
> If the consensus us of the WG is that we should proceed with 
> separate documents for key-wrap and general crypto-agility, 
> we can propose doing that in our revised charter.  It would 
> be nice, however, to have a reason beyond the existence of (4 
> year old) drafts that are structured that way.
> 
> 
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

v2.23.0 | Report a Bug | By Email