Hi!
> From a practical point of view, I think PFS issues are less of a problem
> than
> other issues.
[K]: OK. I don't argue that PFS is important here. My point is just that those
who *do* believe that PFS is important need to take care when using
long-lived TLS/IPsec sessions. That is:
1. As
On Apr 10, 2023, at 4:54 AM, Karl Norrman wrote:
> [K]: OK. I don't argue that PFS is important here. My point is just that those
> who *do* believe that PFS is important need to take care when using
> long-lived TLS/IPsec sessions. That is:
> 1. Assuming a system user wants PFS, the question is w
> I would suggest that these attacks aren't very relevant. Or if they
are, there
> is very little which can be done about them.
+1
An AAA infrastructure is a logical extension of the NAS that enables
authentication, key derivation and other security functions to be
externalised. That externali
Hi!
> > [K]: OK. I don't argue that PFS is important here. My point is just
> > that those who *do* believe that PFS is important need to take care
> > when using long-lived TLS/IPsec sessions. That is:
> > 1. Assuming a system user wants PFS, the question is whether they get
> > it by enabling PF
On Apr 10, 2023, at 12:20 PM, Karl Norrman wrote:
> [K]: What above made you believe I meant the clients authenticating via EAP?
You mentioned EAP session keys being compromised. That would tend to imply
end users being affected.
> I mean that the organization(s) deploying EAP and the authen
Hi!
> "Use PFS methods" is a good
> step. Warning people of the limitations of PFS is a good step. Past that, I
> don't
> see any recommendations which I can implement.
[K]: Excellent. If we can get that in a general AAA document read by people
deploying
EAP/AAA, I'd be much happier than hav
