RE: draft-zorn-radius-pkmv1-05.txt

2009-08-26 Thread Bernard Aboba
Yes, this looks good. > Date: Wed, 26 Aug 2009 22:36:42 -0400 > Subject: Re: draft-zorn-radius-pkmv1-05.txt > From: d3e...@gmail.com > To: g...@net-zen.net > CC: bernard_ab...@hotmail.com; ietf@ietf.org; sec...@ietf.org > > Looks OK to me, > Donald > > On Wed,

Re: draft-zorn-radius-pkmv1-05.txt

2009-08-26 Thread Donald Eastlake
Looks OK to me, Donald On Wed, Aug 26, 2009 at 9:24 PM, Glen Zorn wrote: > … > PKMv1 has some fairly serious security problems that are described here: > http://www2.computer.org/portal/web/csdl/doi/10.1109/SNPD.2008.138 > > So I think the question is whether this document can make those serious >

Re: draft-zorn-radius-pkmv1-05.txt

2009-08-26 Thread Donald Eastlake
Yes, the changes below look good to me. Thanks, Donald On Wed, Aug 26, 2009 at 9:40 PM, Glen Zorn wrote: > Donald Eastlake [mailto:d3e...@gmail.com] writes: > > ... > >> >> The wording in Sections 3.1 and 3.2 see to almost be designed to >> allow >> >> the possibility of the multiple *-Cert Attri

RE: draft-zorn-radius-pkmv1-05.txt

2009-08-26 Thread Glen Zorn
Donald Eastlake [mailto:d3e...@gmail.com] writes: ... > >> The wording in Sections 3.1 and 3.2 see to almost be designed to > allow > >> the possibility of the multiple *-Cert Attributes carrying a > >> certificate to appear in more than one Access-Request message. But I > >> would assume that's

RE: draft-zorn-radius-pkmv1-05.txt

2009-08-26 Thread Glen Zorn
. PKMv1 has some fairly serious security problems that are described here: http://www2.computer.org/portal/web/csdl/doi/10.1109/SNPD.2008.138 So I think the question is whether this document can make those serious security problems even worse, in a way that has not already been documented. AFAI

RE: draft-zorn-radius-pkmv1-05.txt

2009-08-26 Thread Glen Zorn
Bernard Aboba [mailto:bernard_ab...@hotmail.com] writes: Donald Eastlake said: "Doing a little more research, 802.16e-2005, which you don't reference, does begin to touch on this by at least specifying how EAP fits into 802.16." [BA] As I understand it, this document is focused entirely on

RE: draft-zorn-radius-pkmv1-05.txt

2009-08-26 Thread Glen Zorn
Donald Eastlake [mailto:d3e...@gmail.com] writes: ... > >> This document defines seven RADIUS Attributes to support the > >> implementation of 802.16 (WiMax) PKMv1 (Privacy Key Management > version > >> 1). I would guess that RADIUS can be used between the 802.16 Base > >> Station and an authori

Re: draft-zorn-radius-pkmv1-05.txt

2009-08-26 Thread Bernard Aboba
Donald Eastlake said: "Doing a little more research, 802.16e-2005, which you don't reference, does begin to touch on this by at least specifying how EAP fits into 802.16." [BA] As I understand it, this document is focused entirely on PKMv1, which does not support EAP. So it does not apply t

Re: draft-zorn-radius-pkmv1-05.txt

2009-08-26 Thread Donald Eastlake
Hi Glen, See below... On Mon, Aug 24, 2009 at 1:16 PM, Glen Zorn wrote: > Donald Eastlake [mailto:d3e...@gmail.com] writes: > >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the >> IESG.  Document editors and

RE: draft-zorn-radius-pkmv1-05.txt

2009-08-24 Thread Glen Zorn
Donald Eastlake [mailto:d3e...@gmail.com] writes: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. Document editors and WG chairs should treat these comments just > like any other last call comments.