IETF Logo Mail Archive

Re: [radext] BoF request for IETF 115

Peter Deacon <peterd@iea-software.com> Sat, 24 September 2022 15:04 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EA79C1526EF for <radext@ietfa.amsl.com>; Sat, 24 Sep 2022 08:04:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.51
X-Spam-Level:
X-Spam-Status: No, score=-1.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.398, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xYY6lHD8EvZ2 for <radext@ietfa.amsl.com>; Sat, 24 Sep 2022 08:04:38 -0700 (PDT)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id 13298C152595 for <radext@ietf.org>; Sat, 24 Sep 2022 08:04:37 -0700 (PDT)
Received: from littlesmurf.peterd.ws (unverified [10.0.3.39]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0006176101@aspen.iea-software.com>; Sat, 24 Sep 2022 08:04:37 -0700
Date: Sat, 24 Sep 2022 08:05:13 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Alexander Clouter <alex+ietf@coremem.com>
cc: "radext@ietf.org" <radext@ietf.org>
In-Reply-To: <788eea99-21ab-4cc7-8e3e-67a2f8f480d6@www.fastmail.com>
Message-ID: <913b7f5f-664b-e0c0-f3d2-fc9a1a7ed6b5@iea-software.com>
References: <CAOW+2ds134ZJ+somFXsL=27=pvtUT2hNU6G9_8cpM3VoWEcN9Q@mail.gmail.com> <ab874879-3cdd-6cdb-e9a0-07a405272088@iea-software.com> <788eea99-21ab-4cc7-8e3e-67a2f8f480d6@www.fastmail.com>
User-Agent: Alpine 2.26 (WNT 649 2022-06-02)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="5078641-16174-1664031619=:9556"
Content-ID: <5d4eae26-6277-cd3b-14cc-cb8c7cc6888f@iea-software.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/xb2sOslFLcmKguPgitIYo3DJKZw>
Subject: Re: [radext] BoF request for IETF 115
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2022 15:04:40 -0000

On Sat, 24 Sep 2022, Alexander Clouter wrote:

> On Fri, 23 Sep 2022, at 21:38, Peter Deacon wrote:

>>> My concern is that the "shared secrets" used in today's RADIUS 
>>> deployments often have little entropy, leaving them open to 
>>> password-guessing attacks. So some additional thinking may be required 
>>> here.

>> Recommend using PAKE like the old TLS-SRP instead of TLS-PSK for password 
>> based secrets.

> Someone did try to graft PAKE into TLS but it ran out of steam[1]. 
> Should this be a blocker to the SRADIUS draft?

Presently PAKEs don't work with TLS 1.3.  Otherwise TLS-SRP is widely 
available in TLS 1.2.

regards,
Peter

v2.23.0 | Report a Bug | By Email