Hi Jim, in issue #28 http://trac.tools.ietf.org/wg/abfab/trac/ticket/28 you wrote:
" The document needs to discuss the protections (or lack there of) for the MSK as it travels from the IdP to the RP. Known issues are: 1. In RADIUS the security (encryption and authentication) is hop to hop -so in theory any AAA proxy can decrypt the messages. 2. In Diameter there is no(?) current ability to encrypt either hop to hop or end-to-end. " The standardized and deployed security protection in RADIUS and Diameter is hop-by-hop. Hence, the AAA messages can be read by AAA intermediaries, which is the intention for most of the payload but not for the MSK. Luckily, the MSK itself does not help these intermediaries since they do not get to see the data traffic that is protected with the MSK (or keys derived from the MSK). Nevertheless, it may be useful to point to http://tools.ietf.org/html/rfc4962 for a discussion of the security of the AAA key management. It is currently not referenced by the document. Ciao Hannes
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
