JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for MOONSHOT-COMMUNITY Archives


MOONSHOT-COMMUNITY Archives

MOONSHOT-COMMUNITY Archives


MOONSHOT-COMMUNITY@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

MOONSHOT-COMMUNITY Home

MOONSHOT-COMMUNITY Home

MOONSHOT-COMMUNITY  July 2011

MOONSHOT-COMMUNITY July 2011

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: Trust Router & Key Negotiation Protocol teleconference - 1400 BST on 6 July

From:

Alan DeKok <[log in to unmask]>

Reply-To:

Moonshot community list <[log in to unmask]>, Alan DeKok <[log in to unmask]>

Date:

Sat, 2 Jul 2011 10:10:11 +0200

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (61 lines)

Sam Hartman wrote:
> 1) It's difficult to use KNP for keying other AAA protocols. The details
> have become rather RADIUS specific  in Alan's proposal. While you could
> use something similar for Diameter you'd end up  redoing a lot of the
> spec and implementation work.

  The Diameter people use security?  Odd... most of what I've heard is
that it's usually bare TCP with nothing more than source IP filtering.

> 2) It seems to more require your KNP implementation be heavily tied into
> your RADIUS implemenetation.

  How many other federated authentication deployments are there?

> 3) You seem to have modified the RADIUS state machine somewhat and I'm
> concerned that it's going to be harder to perform security analysis of
> this than a separate protocol.

  I don't see how.  (i.e. RADIUS has a state machine?)

> 4) You probably need an integrity protected channel for parts of
> KNP. EAP doesn't give you an integrity-protected channel with the right
> parties.  Josh's approach of using EAP to key TLS does get you this, but
> there are (mostly political and implementation) costs associated with
> that.

  Why?  EAP already runs over insecure Wifi / wired links.  The entire
design goal of EAP is to run over untrusted channels.  The EAP method
used for bootstrapping needs channel bindings and integrity protection,
but that's already available.

> 5) I don't actually see advantages to tieing this to RADIUS. We're
> talking about something that runs on relatively high-end
> servers. Supporting multiple protocols does not seem to be a problem.

  For me, it's fragility.  My proposal involves essentially re-using the
RadSec infrastructure to bootstrap new RadSec connections.  The only
interface between the KNP and new RadSec connections is that they need
to share keying information.

  I could take a RadSec client *today*, and with a little bit of shell
scripting, use EAP, and glue the MSK from the RadSec client to a new
TLS-PSK.

  The alternative is a protocol soup of HTTP, GSS, etc.

> 7) Politically I don't think this approach can be standardized in the
> time available.  It would have to be done in RADEXT.  KNP makes a lot of
> ABFAB specific assumptions; doing it in a context general enough to work
> for RADEXT seems problematic to me.

  Possibly.  RADEXT has a history of taking years for any decision.

> This approach does have one significant advantage I can see: it removes
> an asymmetric relationship. In our protocol, depending on whether the
> next party to talk to is a RADSEC entity or a KNP entity, the kind of
> keys you need end up being different.  Alan's approach removes that.

  Yup.

  Alan DeKok.

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

September 2017
August 2017
July 2017
May 2017
April 2017
March 2017
February 2017
December 2016
November 2016
October 2016
August 2016
July 2016
June 2016
May 2016
March 2016
February 2016
January 2016
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010


WWW.JISCMAIL.AC.UK

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager