Guidance for Authentication, Authorization, and Accounting (AAA) Key Management
draft-housley-aaa-key-mgmt-09
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
09 | (System) | post-migration administrative database adjustment to the Yes position for Jari Arkko |
2012-08-22
|
09 | (System) | post-migration administrative database adjustment to the Yes position for Sam Hartman |
2007-05-02
|
09 | (System) | IANA Action state changed to No IC from In Progress |
2007-05-02
|
09 | (System) | IANA Action state changed to In Progress |
2007-05-01
|
09 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2007-05-01
|
09 | Amy Vezza | IESG state changed to Approved-announcement sent |
2007-05-01
|
09 | Amy Vezza | IESG has approved the document |
2007-05-01
|
09 | Amy Vezza | Closed "Approve" ballot |
2007-04-30
|
09 | Sam Hartman | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Sam Hartman |
2007-04-26
|
09 | Chris Newman | [Ballot comment] Minor comments: Section 2, last paragraph: OLD: however, other parties may receive keys that is derived from this … [Ballot comment] Minor comments: Section 2, last paragraph: OLD: however, other parties may receive keys that is derived from this ^^ NEW: however, other parties may receive keys that are derived from this Section 3, > Cryptographic algorithm independent Although this section implies hash function agility is required, it might be clearer to make that explicit. |
2007-04-26
|
09 | Chris Newman | [Ballot Position Update] New position, No Objection, has been recorded by Chris Newman |
2007-04-26
|
09 | Chris Newman | [Ballot comment] Section 2, last paragraph: OLD: however, other parties may receive keys that is derived from this … [Ballot comment] Section 2, last paragraph: OLD: however, other parties may receive keys that is derived from this ^^ NEW: however, other parties may receive keys that are derived from this Section 3, > Cryptographic algorithm independent Although this section implies hash function agility is required, it might be clearer to make that explicit. |
2007-04-24
|
09 | Sam Hartman | [Ballot Position Update] Position for Sam Hartman has been changed to Yes from Discuss by Sam Hartman |
2007-02-28
|
09 | (System) | New version available: draft-housley-aaa-key-mgmt-09.txt |
2007-02-16
|
08 | (System) | New version available: draft-housley-aaa-key-mgmt-08.txt |
2007-02-14
|
09 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2007-02-14
|
07 | (System) | New version available: draft-housley-aaa-key-mgmt-07.txt |
2007-02-12
|
09 | Jari Arkko | [Ballot comment] My Discuss has been cleared based on the new version -07 that Russ Housley prepared. |
2007-02-12
|
09 | Jari Arkko | [Ballot Position Update] Position for Jari Arkko has been changed to Yes from Discuss by Jari Arkko |
2007-01-12
|
09 | (System) | Removed from agenda for telechat - 2007-01-11 |
2007-01-11
|
09 | Amy Vezza | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza |
2007-01-11
|
09 | Jari Arkko | [Ballot discuss] The document is overall in excellent shape, but I have a few issues: The document describes generic AAA keying issues. EAP keying issues … [Ballot discuss] The document is overall in excellent shape, but I have a few issues: The document describes generic AAA keying issues. EAP keying issues are a special case of these. However, in some places the document talks with EAP terminology where more general terminology would have been more appropriate. For instance, Authorizations SHOULD be synchronized between the EAP peer, server, and authenticator. Once the AAA key management protocol exchanges are complete, all of these parties should hold a common view of the authorizations associated the other parties. Presumably the requirement holds even when we are not talking about EAP? The context will include the EAP peer and authenticator identities in more than one form. One (or more) name form is needed to identify these parties in the AAA protocol and EAP method. Another name form may be needed to identify these parties within the lower layer that will employ the session key. As above. |
2007-01-11
|
09 | Jari Arkko | [Ballot comment] Finally, I believe the document should have an informational reference to the EAP Keying Framework draft (a WG item of the EAP WG), … [Ballot comment] Finally, I believe the document should have an informational reference to the EAP Keying Framework draft (a WG item of the EAP WG), as that document discusses EAP specific keying issues and requirements. |
2007-01-11
|
09 | Ted Hardie | [Ballot Position Update] New position, No Objection, has been recorded by Ted Hardie |
2007-01-11
|
09 | Bill Fenner | [Ballot Position Update] New position, No Objection, has been recorded by Bill Fenner |
2007-01-11
|
09 | Lisa Dusseault | [Ballot Position Update] New position, No Objection, has been recorded by Lisa Dusseault |
2007-01-11
|
09 | Jari Arkko | [Ballot discuss] The document is overall in excellent shape, but I have a few issues: The document describes generic AAA keying issues. EAP keying issues … [Ballot discuss] The document is overall in excellent shape, but I have a few issues: The document describes generic AAA keying issues. EAP keying issues are a special case of these. However, in some places the document talks with EAP terminology where more general terminology would have been more appropriate. For instance, Authorizations SHOULD be synchronized between the EAP peer, server, and authenticator. Once the AAA key management protocol exchanges are complete, all of these parties should hold a common view of the authorizations associated the other parties. Presumably the requirement holds even when we are not talking about EAP? The context will include the EAP peer and authenticator identities in more than one form. One (or more) name form is needed to identify these parties in the AAA protocol and EAP method. Another name form may be needed to identify these parties within the lower layer that will employ the session key. As above. Finally, I believe the document should have an informational reference to the EAP Keying Framework draft (a WG item of the EAP WG), as that document discusses EAP specific keying issues and requirements. |
2007-01-11
|
09 | Jari Arkko | [Ballot Position Update] New position, Discuss, has been recorded by Jari Arkko |
2007-01-11
|
09 | (System) | [Ballot Position Update] New position, No Objection, has been recorded for Jon Peterson by IESG Secretary |
2007-01-11
|
09 | Dan Romascanu | [Ballot comment] (contributed by AAA doctor David Nelson who reviewed the document and is confortable with its content). The following text in Section 2 seems … [Ballot comment] (contributed by AAA doctor David Nelson who reviewed the document and is confortable with its content). The following text in Section 2 seems to be duplicated, and should probably show up only once: However, due to ad hoc development of AAA- based key management, AAA-based key distribution schemes have poorly understood security properties, even when well-studied cryptographic algorithms are employed. More academic research is needed to fully understand the security properties of AAA-based key management in the diverse protocol environments where it is being employed today. In the absence of research results, pragmatic guidance based on sound security engineering principles is needed. |
2007-01-11
|
09 | Dan Romascanu | [Ballot Position Update] New position, No Objection, has been recorded by Dan Romascanu |
2007-01-11
|
09 | Dan Romascanu | [Ballot comment] (contributed by AAA doctor David Nelson). The following text in Section 2 seems to be duplicated, and should probably show up only once: … [Ballot comment] (contributed by AAA doctor David Nelson). The following text in Section 2 seems to be duplicated, and should probably show up only once: This text appears twice in Section 2. Probably once is enough. However, due to ad hoc development of AAA- based key management, AAA-based key distribution schemes have poorly understood security properties, even when well-studied cryptographic algorithms are employed. More academic research is needed to fully understand the security properties of AAA-based key management in the diverse protocol environments where it is being employed today. In the absence of research results, pragmatic guidance based on sound security engineering principles is needed. |
2007-01-11
|
09 | Ross Callon | [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon |
2007-01-11
|
09 | Lars Eggert | [Ballot Position Update] New position, No Objection, has been recorded by Lars Eggert |
2007-01-10
|
09 | David Kessens | [Ballot Position Update] New position, No Objection, has been recorded by David Kessens |
2007-01-10
|
09 | Mark Townsley | [Ballot Position Update] New position, No Objection, has been recorded by Mark Townsley |
2007-01-10
|
09 | Brian Carpenter | [Ballot Position Update] New position, No Objection, has been recorded by Brian Carpenter |
2007-01-10
|
09 | Sam Hartman | [Ballot discuss] I asked the following questions and this started a lively discussion among the authors. It seems clear that these paragraphs will need to … [Ballot discuss] I asked the following questions and this started a lively discussion among the authors. It seems clear that these paragraphs will need to change. It is less clear what they will change to; Bernard seems to have found some problems in these paragraphs beyond what I asked. > When a secure association protocol is used to establish session > keys, the parties involved in the secure association protocol > MUST identify themselves using identities that are meaningful > in the lower layer protocol environment that will employ the > session keys. In this situation, the authenticator and peer > may be known by different identifiers in the AAA protocol > environment and the lower layer protocol environment, making > authorization decisions difficult without a clear key scope. First, is there any requirement that both identities be authorized or somehow that we check to make sure the two identities belong together? i'm assuming yes, but don't see this clearly stated. > In some situations, multiple base stations and a "controller" > (such as a WLAN switch) comprise a single EAP authenticator. > In this situation, the "base station identity" is irrelevant to > the EAP method conversation, which is between the EAP peer and > the EAP server. > [Are you trying to say that this is not an example of one of the lower layer identities that needs to be separately identified or are you trying to say that since this identity is out of scope for EAP, it needs to be handled separately. I suspect the former, but the text is unclear.] |
2007-01-10
|
09 | Sam Hartman | [Ballot Position Update] Position for Sam Hartman has been changed to Discuss from Yes by Sam Hartman |
2007-01-09
|
09 | Cullen Jennings | [Ballot Position Update] New position, No Objection, has been recorded by Cullen Jennings |
2006-12-29
|
09 | Russ Housley | [Ballot Position Update] New position, Recuse, has been recorded by Russ Housley |
2006-12-27
|
09 | Sam Hartman | Placed on agenda for telechat - 2007-01-11 by Sam Hartman |
2006-12-27
|
09 | Sam Hartman | State Changes to IESG Evaluation from Waiting for Writeup by Sam Hartman |
2006-12-27
|
09 | Sam Hartman | [Ballot Position Update] New position, Yes, has been recorded for Sam Hartman |
2006-12-27
|
09 | Sam Hartman | Ballot has been issued by Sam Hartman |
2006-12-27
|
09 | Sam Hartman | Created "Approve" ballot |
2006-11-28
|
06 | (System) | New version available: draft-housley-aaa-key-mgmt-06.txt |
2006-11-27
|
05 | (System) | New version available: draft-housley-aaa-key-mgmt-05.txt |
2006-11-08
|
09 | (System) | Request for Early review by SECDIR Completed. Reviewer: Chris Lonvick. |
2006-11-06
|
09 | (System) | State has been changed to Waiting for Writeup from In Last Call by system |
2006-10-26
|
09 | Yoshiko Fong | IANA Last Call Comment: NO IANA Considerations section. We understand this document to have NO IANA Actions. |
2006-10-09
|
09 | Amy Vezza | Last call sent |
2006-10-09
|
09 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2006-10-09
|
09 | Sam Hartman | Note field has been cleared by Sam Hartman |
2006-10-09
|
09 | Sam Hartman | Intended Status has been changed to BCP from Proposed Standard |
2006-10-09
|
09 | Sam Hartman | State Changes to Last Call Requested from AD Evaluation::AD Followup by Sam Hartman |
2006-10-09
|
09 | Sam Hartman | Last Call was requested by Sam Hartman |
2006-10-09
|
09 | (System) | Ballot writeup text was added |
2006-10-09
|
09 | (System) | Last call text was added |
2006-10-09
|
09 | (System) | Ballot approval text was added |
2006-10-09
|
09 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2006-10-09
|
04 | (System) | New version available: draft-housley-aaa-key-mgmt-04.txt |
2006-10-06
|
09 | Sam Hartman | State Changes to AD Evaluation::Revised ID Needed from AD Evaluation::AD Followup by Sam Hartman |
2006-07-13
|
09 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2006-07-13
|
03 | (System) | New version available: draft-housley-aaa-key-mgmt-03.txt |
2006-04-20
|
09 | Sam Hartman | I apparently forgot to add this weeks ago |
2006-04-20
|
09 | Sam Hartman | Draft Added by Sam Hartman in state AD Evaluation |
2006-04-20
|
09 | Sam Hartman | [Note]: 'AD comments sent; waiting for new draft' added by Sam Hartman |
2006-03-22
|
02 | (System) | New version available: draft-housley-aaa-key-mgmt-02.txt |
2005-11-08
|
01 | (System) | New version available: draft-housley-aaa-key-mgmt-01.txt |
2005-06-13
|
00 | (System) | New version available: draft-housley-aaa-key-mgmt-00.txt |