eap Mailing List: RE: RE: [Isms] RADIUS is not a trusted third party

[Bernard Aboba (aboba]

> I think there is a subtle difference between a "trusted third party" and
> a RADIUS server which may have bi-lateral trust relationships with
> various parties.

Yes.  Where RADIUS proxies are present there is no trust relationship
between the NAS and RADIUS server.  This is in contrast to Diameter, where
such a relationship can be established via re-direct.

The distinction is important in a number of cases.  In Kerberos, the KDC
is able to provide a ticket to any principal because it has a shared
secret that it shares with that principle.

Within RADIUS this is not possible.  A RADIUS server cannot
provide the user with a ticket to a NAS because it may not have a trust
relationship with that NAS.

Note that at one point, there was a proposal for integration of RADIUS
with Kerberos.  That proposal did in fact enable RADIUS to become a true
trusted third party.  The proposal seemed practical. However, the AAA WG
went with another proposal (Diameter CMS) which it turned out that noone
wanted to implement. Among other things, the proposal enabled a RADIUS
server to send a key to a NAS that could not be viewed by intervening
proxies.  In retrospect, the IETF may have missed an important
opportunity.

For a trip down memory lane, look here:
http://www.watersprings.org/pub/id/draft-kaushik-radius-sec-ext-06.txt