eap Mailing List: Re: RE: [Isms] RADIUS is not a trusted third party

[Julien Bournelle (julien.bournelle]

Hi,

On Thu, Apr 21, 2005 at 07:59:46PM -0700, Bernard Aboba wrote:
> > I think there is a subtle difference between a "trusted third party" and
> > a RADIUS server which may have bi-lateral trust relationships with
> > various parties.
> 
> Yes.  Where RADIUS proxies are present there is no trust relationship
> between the NAS and RADIUS server.  This is in contrast to Diameter, where
> such a relationship can be established via re-direct.

 I'm wondering if an operator will let its EAP authenticator directly
 contact EAP server from other operators using redirect functionality of
 Diameter. 
 
 regards,


> 
> The distinction is important in a number of cases.  In Kerberos, the KDC
> is able to provide a ticket to any principal because it has a shared
> secret that it shares with that principle.
> 
> Within RADIUS this is not possible.  A RADIUS server cannot
> provide the user with a ticket to a NAS because it may not have a trust
> relationship with that NAS.
> 
> Note that at one point, there was a proposal for integration of RADIUS
> with Kerberos.  That proposal did in fact enable RADIUS to become a true
> trusted third party.  The proposal seemed practical. However, the AAA WG
> went with another proposal (Diameter CMS) which it turned out that noone
> wanted to implement. Among other things, the proposal enabled a RADIUS
> server to send a key to a NAS that could not be viewed by intervening
> proxies.  In retrospect, the IETF may have missed an important
> opportunity.
> 
> For a trip down memory lane, look here:
> http://www.watersprings.org/pub/id/draft-kaushik-radius-sec-ext-06.txt
> 
> _______________________________________________
> eap mailing list
> eap [at] frascone.com
> http://mail.frascone.com/mailman/listinfo/eap

-- 
julien.bournelle at int-evry.fr