eap Mailing List: RE: Clarifications on "Domino effect"

[Alper Yegin (alper.yegin]

> > "Compromise of a single authenticator cannot compromise any other
part
> > of the system, including session keys and long-term secrets."
> >
> > Does this finally imply that the authenticator MUST not provide keys
to
> > other entity ?
> >
> >
> Intuitively, this text may be too broad. 

In some sense it is too broad. It disallows NAS to provide any keys to
NAS ports (which may be hosted on separate nodes). In the lack of
clarification, I read some people even take this as "no keys shall ever
be passed around". I really think this part deserves further
clarification.

And in other sense, I find the text a bit narrow. Why does it only focus
on the "authenticator" if we are talking about domino affect? A
compromised RADIUS relay yields a domino effect as well.  

> An EAP peer, for instance,
> is a part of "the system", and its traffic at least would be
> compromised if its authenticator got compromised. 

Hmm, that's interesting. I never thought that way before. We definitely
need a clarification on that as well. 

Alper


>And any
> new EAP peer connecting to the compromised authenticator
> would also have its traffic exposed. Similarly, the AAA nodes
> are affected, because they have a secure connection to a
> compromised node.
> 
> I think what we mean is that when one authenticator is
> compromised, this does not lead to:
> 
> o  Compromise of long-term secrets in EAP peers, AAA servers,
>     and other authenticators.
> 
> o  Compromise of session keys other than those associated
>     with a session where the compromised authenticator
>     is or will be a part of.
> 
> o  Ability of the authenticator to claim to be another authenticator
>     or to offer another type of service when communicating with
>     EAP peers.
> 
> --Jari
> 
> _______________________________________________
> eap mailing list
> eap [at] frascone.com
> http://mail.frascone.com/mailman/listinfo/eap