Sign in
Version 5.3.0, 2014-04-12
Report a bug

Crypto-Agility Requirements for Remote Authentication Dial-In User Service (RADIUS)

Note: This ballot was opened for revision 06 and is now closed.

Summary: Has enough positions to pass.

Stephen Farrell

Comment (2011-07-14)

(1) You might want to say that RECOMMENDED is the same as SHOULD where
you define conditional compliance.

(2) Its not entirely clear whether or not protection against bidding
down is a SHOULD or MUST. 4.2 seems to make it a MUST, but 4.3 seems to
open up such an attack ("If a response is not received...a new request
can be composed using legacy mechanisms"). Maybe the latter just
applies when the legacy mechanisms remain unbroken? If so, then
clarifying that might be good.

[Sean Turner]

Comment (2011-07-14)

Section 2: r/can selected/can be selected

Section 4.2: maybe add a reference to RFC 5280 in the following:

  it is RECOMMENDED that a RADIUS crypto-agility solution
  support X.509 certificates *[RFC5280]* for authentication
  between the NAS and RADIUS server