RE: Exportable encryption & Kerberos

["Mike Swift (NT)" <mikesw@MICROSOFT.com>]

I agree that my suggesting is not the ultimate for negotiating encryption.
The current Kerberos AP protocol does not allow for much negotiation,
unfortunately. I hesitate to start relying on something like PKINIT for
everyday operations - it adds a whole new layer to the already complex
enough setup for Kerberos.

The solution I propose does allow for upgrade and downgrade attacks by rogue
servers & clients. I'm not too worried about downgrade attacks because a
client or server can always just expose the information. As for an upgrade
attack, only servers are vulnerable because the client would get to choose
the key in this case. The only way around this that I know of is for either
a new encryption type to be defined or for a standard way to inspect a key
and tell how strong it is, neither of which seem practical.

- Mike

> -----Original Message-----
> From:	joes@wrq.com [SMTP:joes@wrq.com]
> Sent:	Tuesday, January 13, 1998 2:47 PM
> To:	Mike Swift (NT)
> Cc:	cat-ietf@mit.edu
> Subject:	Re: Exportable encryption & Kerberos
> 
> Item Subject: Exportable encryption & Kerberos
>      The proposed scheme does provide additional information, but it does 
>      not address the problem of clients and servers with different crypto 
>      capabilities interoperating.  Having either the client or server 
>      blindly trust the other presents problems. A rogue could force the
> use 
>      of crypto that is too weak or too strong for a particular
> environment. 
>       
>      
>      It would be desirable to have a client that is capable of both strong
> 
>      and weak crypto.  There are several types of servers the client may 
>      interoperate with.
>      
>      1. Generic server -- the client must use weak crypto
>      2. Approved Server -- the server has characteristics (such as key 
>      recovery and key escrow) that allow for the use of stronger 
>      cryptography.
>      3. Approved Sever in an Approved Institution -- the institution which
> 
>      is using this server is approved for stronger crypto.
>      
>      It is therefore essential that the client have a means of identifying
> 
>      the cryptographic allowances of the server it is talking to.  I 
>      believe there is an SSL mechanism in practice that allows for a 
>      special certificate to be returned by the server to the client which 
>      proves that the server can use stronger crypto (If someone could
> point 
>      me to the details of these "special certificates" I would be 
>      grateful).  Current proposals in kerberos could be used in a similar 
>      way to help with this problem.
>      
>      The current PKINIT proposal allows the server to return a
> certificate. 
>      This certificate could provide the assurance of the capability to do 
>      stronger crypto.  However, this only identifies the KDC which may be 
>      sufficient for meeting government regulations in case 3.  It may
> cause 
>      problems with case 2 because there is no guarantee that the 
>      application server is participating in key management.  In this case
> I 
>      do not know of a specification to return a certificate from an 
>      application server (I don't think either PKTAPP or PKDA apply), one 
>      would probably have to be invented.  
>      
>      I'd appreciate any comments on this, I am coming from a US point of 
>      view.  The CAT working group may not be the best place to focus on 
>      these issues.  If there is a better forum let me know.  The problem
> of 
>      cryptographic restrictions is much broader than US export
> regulations. 
>       
>      Joe Salowey
>      WRQ Software
>      joes@wrq.com
>      
> 
> 
> 

Date: Sat, 17 Jan 1998 00:40:32 -0500
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: "Mike Swift" <mikesw@microsoft.com>
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, cat-ietf@MIT.EDU
Subject: Re: Exportable encryption & Kerberos
Address: 1 Amherst St., Cambridge, MA 02139
Phone: (617) 253-8091

   From: "Mike Swift (NT)" <mikesw@microsoft.com>
   Date: Fri, 16 Jan 1998 10:58:32 -0800

   I agree that the words "domestic" and "exportable" were poor choices - how
   about "strong" and "weak", so that there are no doubts about what is being
   offered? I thought about extending the AP request to include additional enc
   types. However, negotiating both a key & and encryption type at the same
   time is difficult - the thing to do might be to expand the key in the AP_REQ
   to be a sequence of keys, and the server replies with they key it chose or
   its own key. 

I'm still not convinced this is a good thing to put into the protocol
like this.  What if the government decides six months from now that 40
bits is pathetically weak, and allows us to use 48 bits instead?  What
if France requires us to use 16 bits of keying material?  Do we put yet
another hack into the protocol for that?

There is substantial consensus within the IETF that we should not
compromise our protocols for the sake of meeting the requirements of
some transient national government's regulations with respect to export
control.  The IETF, after all, is an International standards body, and
if the U.S. government wants to cripple the ability for U.S. companies
to sell competently written, secure products outside the U.S., that's
the U.S. government's problem.  

This question came up with IPSEC, and when we took a straw poll at the
open IESG meeting, the overwhelming consensus by the IETF engineers was
that we should not compromise our protocols in this fashion.  Hence, in
order to compliant with IPSEC and IPV6 you MUST support strong crypto.
If you do not, you cannot call yourself compliant with those standards.
Companies in the E.U. are free to develop and market IPSEC software with
strong crypto to the E.U., and there are companies that are doing
precisely that.  U.S. companies who don't like this restriction in where
they can market their software are encouraged to lobby the
U.S. government to fix this, and to not bother trying to lobby the IETF
to bless a technically incorrect design choice.

In any case, because of this strong consensus within both the IETF and
the IESG, I have no doubt that any attempt to try to standardize
insecure crypto will be rejected by the IESG.  So I believe it's really
a waste of time to pursue this any further.

Indeed, my big worry right now with respect to Kerberos is that 56 bits
of DES is not strong enough for anything really serious, and that we
should be moving to 112 bit triple-DES keys ASAP.

						- Ted

Date: Sat, 17 Jan 1998 10:13:14 -0800 (PST)
From: Mike Eisler <Michael.Eisler@Eng.Sun.COM>
Reply-To: Mike Eisler <Michael.Eisler@Eng.Sun.COM>
Subject: Re: Exportable encryption & Kerberos
To: "Theodore Y. Ts'o" <tytso@mit.edu>
Cc: Mike Swift <mikesw@microsoft.com>, Ken Hornstein <kenh@cmf.nrl.navy.mil>,
        cat-ietf@mit.edu


> In any case, because of this strong consensus within both the IETF and
> the IESG, I have no doubt that any attempt to try to standardize
> insecure crypto will be rejected by the IESG.  So I believe it's really

The most recent TLS draft has "exportable" cipher suites in it. If nothing
else, I would hope IESG is consistent in its treatment of the output from one
WG versus another.

> a waste of time to pursue this any further.

The practical reality is that these laws exist. Without some written
definition of weak cryto, what will happen is various implementers will
implement non-interoperable schemes. An Informational RFC on 40 bit
Kerberos V5 privacy would be useful for that reason.

	-mre

Date: Sat, 17 Jan 1998 21:24:07 -0500 (EST)
From: Richard Salz <salzr@certco.com>
To: Michael.Eisler@Eng.Sun.COM, tytso@mit.edu
Subject: Re: Exportable encryption & Kerberos
Cc: cat-ietf@mit.edu, kenh@cmf.nrl.navy.mil, mikesw@microsoft.com

> An Informational RFC on 40 bit
>Kerberos V5 privacy would be useful for that reason.

If the members of the IETF decide it's useful to standardize emasculated
crypto to ensure interoperability, then I hope we'll all be very blatant
and define things such that the "naught bits" (n>41:) are sent in the clear
by the protocol(s) in question.  In no way should this be sugar-coated.
	/r$

To: Mike Eisler <Michael.Eisler@Eng.Sun.COM>
Cc: "Theodore Y. Ts'o" <tytso@MIT.EDU>, Mike Swift <mikesw@microsoft.com>,
        Ken Hornstein <kenh@cmf.nrl.navy.mil>, cat-ietf@MIT.EDU
Subject: Re: Exportable encryption & Kerberos
X-Emacs: 19.34
From: joda@pdc.kth.se (Johan Danielsson)
Date: 18 Jan 1998 09:08:56 +0100
Lines: 10

Mike Eisler <Michael.Eisler@Eng.Sun.COM> writes:

> Without some written definition of weak cryto, what will happen is
> various implementers will implement non-interoperable schemes.

I almost find this a feature. It is more obvious to people that they
are buying crap software if it doesn't interoperate with anything
else.

/Johan

Return-Path: <postmaster@pad-thai.cam.ov.com>
From: vin@shore.net
Date: Sun, 18 Jan 1998 19:11:37 -0800 (PST)
X-Sender: vin@shore.net (Unverified)
To: Richard Salz <salzr@certco.com>
Subject: Re: Exportable encryption & Kerberos
Cc: cat-ietf@MIT.EDU, kenh@cmf.nrl.navy.mil, mikesw@microsoft.com,
        Michael.Eisler@Eng.Sun.COM, tytso@MIT.EDU

        Rich Salz <salzr@certco.com> opined:

>If the members of the IETF decide it's useful to standardize emasculated
>crypto to ensure interoperability, then I hope we'll all be very blatant
>and define things such that the "naught bits" (n>41:) are sent in the clear
>by the protocol(s) in question.  In no way should this be sugar-coated.

        Damn right!  Bell, whistles, popup windows, and bad smells wherever
available should be used to alert the user and clearly indicate that the
encryption being used is very very weak.

        Could the WG or the IESG mandate such an overt warning in the
implementation?  Maybe with an explicit recommendation that the user seek
to negotiate more secure crypto with his correspondent(s) ...if possible
and legal, and if he or she requires more than minimal protection for the
confidentiality and integrity of the transmitted data?

        That would be neat for several reasons -- not least of which
because it would maybe let J.S. and the IESG and/or the IAB go head-to-head
with the US govt. directly.

        And that, in turn, might get the user and the vendors out of the
line of fire and lessen the temptation of various IETF activists to scorn
useful _Interoperability_ standards -- which seem to necessarily reference
(and require, for universal connectivity) the weak crypto which is the
strongest the feds allow to be freely exported by US-based vendors.

        That new banker's suit becomes you, Mr. Salz.
        ;-)
   Suerte,
                     _Vin


Return-Path: <postmaster@pad-thai.cam.ov.com>
Date: Mon, 19 Jan 1998 07:21:20 -0800 (PST)
From: Mike Eisler <Michael.Eisler@eng.Sun.COM>
Reply-To: Mike Eisler <Michael.Eisler@eng.Sun.COM>
Subject: Re: Exportable encryption & Kerberos
To: Johan Danielsson <joda@pdc.kth.se>
Cc: Mike Eisler <Michael.Eisler@eng.Sun.COM>,
        "Theodore Y. Ts'o" <tytso@MIT.EDU>, Mike Swift <mikesw@microsoft.com>,
        Ken Hornstein <kenh@cmf.nrl.navy.mil>, cat-ietf@MIT.EDU

> Mike Eisler <Michael.Eisler@Eng.Sun.COM> writes:
> 
> > Without some written definition of weak cryto, what will happen is
> > various implementers will implement non-interoperable schemes.
> 
> I almost find this a feature. It is more obvious to people that they
> are buying crap software if it doesn't interoperate with anything
> else.

You and I have the same technical opinion regarding 40 bit privacy, but the
reality is that there is a proven market for it: the United States.
Most U.S. residents use 40 bit encryption in their web browser, even though they
don't have to. I wonder if 40 bit web browsers are similarly popular in other
countries.

	-mre


Return-Path: <postmaster@pad-thai.cam.ov.com>
To: Mike Eisler <Michael.Eisler@eng.Sun.COM>
Cc: "Theodore Y. Ts'o" <tytso@MIT.EDU>, Mike Swift <mikesw@microsoft.com>,
        Ken Hornstein <kenh@cmf.nrl.navy.mil>, cat-ietf@MIT.EDU
Subject: Re: Exportable encryption & Kerberos
X-Emacs: 19.34
From: joda@pdc.kth.se (Johan Danielsson)
Date: 19 Jan 1998 20:54:30 +0100
Lines: 15

Mike Eisler <Michael.Eisler@eng.Sun.COM> writes:

> Most U.S. residents use 40 bit encryption in their web browser, even
> though they don't have to.

Yes, but doesn't SSL have standardized support for using weak crypto?

> I wonder if 40 bit web browsers are similarly popular in other
> countries.

I would say that 0 bit web browsing is far more popular. Those that
actually use SSL for something real, either use a local strong crypto
proxy, or use some other device as a complement, SecurID or similar.

/Johan

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Mike Swift (NT)" <mikesw@microsoft.com>
To: Richard Salz <salzr@certco.com>, Michael.Eisler@Eng.Sun.COM, tytso@mit.edu
Cc: cat-ietf@mit.edu, kenh@cmf.nrl.navy.mil
Subject: RE: Exportable encryption & Kerberos
Date: Mon, 19 Jan 1998 15:23:47 -0800

I am very open to other suggestions on how best to implement weakened
encryption in Kerberos. I proposed a solution that is of limited scope but
will work. If anybody else has other concrete suggestions I would very much
like to hear them.

- Mike

> -----Original Message-----
> From:	Richard Salz [SMTP:salzr@certco.com]
> Sent:	Saturday, January 17, 1998 6:24 PM
> To:	Michael.Eisler@Eng.Sun.COM; tytso@mit.edu
> Cc:	cat-ietf@mit.edu; kenh@cmf.nrl.navy.mil; Mike Swift (NT)
> Subject:	Re: Exportable encryption & Kerberos
> 
> > An Informational RFC on 40 bit
> >Kerberos V5 privacy would be useful for that reason.
> 
> If the members of the IETF decide it's useful to standardize emasculated
> crypto to ensure interoperability, then I hope we'll all be very blatant
> and define things such that the "naught bits" (n>41:) are sent in the
> clear
> by the protocol(s) in question.  In no way should this be sugar-coated.
> 	/r$

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
To: "Mike Swift (NT)" <mikesw@microsoft.com>
Cc: cat-ietf@MIT.EDU
Subject: Re: Exportable encryption & Kerberos 
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
	WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
	gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
Date: Tue, 20 Jan 1998 01:12:53 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

>I am very open to other suggestions on how best to implement weakened
>encryption in Kerberos. I proposed a solution that is of limited scope but
>will work. If anybody else has other concrete suggestions I would very much
>like to hear them.

Okay, politics aside:

- The binary values of "strong" and "weak" bother me.  Not enough room for
  expansion or adaptation (what if X version of Kerberos implements
  "weak", circa 1998, but Y implements "weak" circa 2002?).  I really
  think these should be new encryption types.
- I still think that a general framework for negotiating encryption
  types in an AP_REQ would be useful, for a number of reasons (for
  example, when 3DES gets into MIT Kerberos, I'd like to be able to
  use it as quickly as possible, but not have to upgrade all of
  our application servers).  I know, this is tricky ... but I still
  think it's solvable.

--Ken

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: John_Wray@iris.com
X-Lotus-Fromdomain: IRIS
To: Martin.Rex@sap-ag.de
Cc: cat-ietf@MIT.EDU
Date: Tue, 20 Jan 1998 11:02:00 -0500
Subject: Re: GSS-API per msg prot negotiation
Content-Disposition: inline

Martin writes (regarding requiring that both ends of a
context get the same confidentiality support information):

>More or less obvious mechanism spec and/or implementation issues:
>
>- If a gssapi mechanism spec doesn't mandate confidentiality,
>  it must provide a handshake during context establishment so
>  that independent implemenations may figure out availability
>  of a common confidentiality mechanism.
>
>- If a gssapi mechanism spec doesn't mandate confidentiality,
>  a one-way authentication with confidentiality can not meet
>  the interoperability requirement.
>
>- If a gssapi mechanism spec mandates confidentiality,
>  a one-way authentication with confidentiality would be limited to
>  the mandated confidentiality algorithm(s).


The latter two issues aren't quite correct - one-way authentication
is a service, and is what you get when you don't set the MUTUAL_REQ
bit to GSS_INIT_SEC_CONTEXT; it doesn't necessarily map to a single
message, but can be implemented as a series of messages between
initiator and acceptor.  So the above should read something like:

- If a gssapi mechanism spec doesn't mandate confidentiality,
  a single-message context establishment can not provide
  interoperable confidentiality.

- If a gssapi mechanism spec mandates confidentiality,
  a single-message context establishment exchange would be limited to
  the mandated confidentiality algorithm(s).


>On top of that, I think such requirements have to be extended
>to QOP values:
>
>- If a gssapi mechanism spec allows optional confidentiality
>  or integrity mechanisms to be selected by the application
>  by using an explicit QOP parameter, the context establishment
>  must provide for negotiation of common QOP values.
>
>- When using an optional QOP value that is known to the local
>  gssapi implementation but not by the peer and therefore not
>  available for the established security context, the failure
>  of the gss_getmic() or gss_wrap() must not interfere with
>  the context validity, sequence protection or replay protection
>  as provided by the gssapi mechanism.

I think I understand the above, but the wording is confusing (for
a start, "confidentiality/integrity mechanisms" haven't been defined,
and I can't think of a clear concise definition that captures what I
think you're after). Would the following restrictions do what you want:

    A) If a gssapi mechanism spec allows for optional support of
       particular QOP values, then either:

       i) All implementations are required to be capable of
          processing messages protected using any QOP value,
          regardless of whether they can apply protection
          corresponding to that QOP,

       or

       ii) The set of mutually-supported receiver QOP values
           must be determined during context establishment,
           and messages may be protected by either peer
           using only QOP values from this mutually-supported
           set.

       NOTE: (i) is just a special-case of (ii), where
             implementations are required to support
             all QOP values on receipt.


    B) A failure of gss_getmic() or gss_wrap() due to an attempt
       to use an unsupported QOP will not interfere with context
       validity, nor shall such a failure impact the ability of the
       application to subsequently invoke gss_getmic() or
       gss_wrap() using a supported QOP; in particular, any
       state information concerning sequencing of outgoing
       messages shall be unchanged by an unsuccesful call
       of gss_getmic() or gss_wrap().

       NOTE: should the last clause (after the semilcolon) be
             true in general - shouldn't any failure of gss_getmic()
             or gss_wrap() leave sequencing state alone?


John (note my new E-mail address)


Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
To: D.Pinkas@frcl.bull.fr
Cc: cat-ietf@MIT.EDU
Subject: Re: Exportable encryption & Kerberos 
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
	WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
	gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
Date: Tue, 20 Jan 1998 13:01:41 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

>If negotiation is required, the question is where to perform the
>negotiation: either within Kerberos or using SNEGO, which means outside
>Kerberos.

Oh, sure ... I was putting off reading the SNEGO draft, but now you're
making me do it! :-)

Well, I had understood that SNEGO was for the GSS-API.  It would be
nice if we could have something that would work for non-GSS apps (i.e. -
telnet).  Or are you talking about applying the general negotiation
to that SNEGO does to "raw Kerberos" as well?

--Ken

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Mike Swift (NT)" <mikesw@microsoft.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: cat-ietf@MIT.EDU
Subject: RE: Exportable encryption & Kerberos 
Date: Tue, 20 Jan 1998 12:31:22 -0800

As an alternative, we could extend that AUTHENTICATOR by allowing the subkey
to be a sequence. This would allow the client to propose a list of subkeys
and allow the server to select a subkey to return in the AP reply. This
would allow the introduction of new encryption types of various strengths.
The client can propose keys for the various encryption types it supports (if
it was weakened, then only weak encryption types) and the server could
select an encryption type it considered acceptible. This requires that the
client do mutual authentication and ask for an AP reply, though.


Authenticator ::=    [APPLICATION 2] SEQUENCE    {
               authenticator-vno[0]          INTEGER,
               crealm[1]                     Realm,
               cname[2]                      PrincipalName,
               cksum[3]                      Checksum OPTIONAL,
               cusec[4]                      INTEGER,
               ctime[5]                      KerberosTime,
-->            subkey[6]                     SEQUENCE OF EncryptionKey
OPTIONAL,
               seq-number[7]                 INTEGER OPTIONAL,
               authorization-data[8]         AuthorizationData OPTIONAL
                     }

- Mike
> -----Original Message-----
> From:	Ken Hornstein [SMTP:kenh@cmf.nrl.navy.mil]
> Sent:	Monday, January 19, 1998 10:13 PM
> To:	Mike Swift (NT)
> Cc:	cat-ietf@mit.edu
> Subject:	Re: Exportable encryption & Kerberos 
> 
> >I am very open to other suggestions on how best to implement weakened
> >encryption in Kerberos. I proposed a solution that is of limited scope
> but
> >will work. If anybody else has other concrete suggestions I would very
> much
> >like to hear them.
> 
> Okay, politics aside:
> 
> - The binary values of "strong" and "weak" bother me.  Not enough room for
>   expansion or adaptation (what if X version of Kerberos implements
>   "weak", circa 1998, but Y implements "weak" circa 2002?).  I really
>   think these should be new encryption types.
> - I still think that a general framework for negotiating encryption
>   types in an AP_REQ would be useful, for a number of reasons (for
>   example, when 3DES gets into MIT Kerberos, I'd like to be able to
>   use it as quickly as possible, but not have to upgrade all of
>   our application servers).  I know, this is tricky ... but I still
>   think it's solvable.
> 
> --Ken

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: Martin Rex <martin.rex@sap-ag.de>
Subject: Re: Exportable encryption & Kerberos
To: D.Pinkas@frcl.bull.fr
Date: Tue, 20 Jan 1998 21:39:06 +0100 (MEZ)
Cc: cat-ietf@MIT.EDU
Reply-To: Martin.Rex@sap-ag.de

Denis Pinkas wrote:
> 
> > - I still think that a general framework for negotiating encryption
> >   types in an AP_REQ would be useful, for a number of reasons (for
> >   example, when 3DES gets into MIT Kerberos, I'd like to be able to
> >   use it as quickly as possible, but not have to upgrade all of
> >   our application servers).  I know, this is tricky ... but I still
> >   think it's solvable.
> 
> If negotiation is required, the question is where to perform the
> negotiation: either within Kerberos or using SNEGO, which means outside
> Kerberos.
> 
> I would recommend the use of SNEGO (soon to be closed) which allows to
> negotiate all Kerberos flavours as soon as you suffix the Kerberos
> mechanism with some identifier.

I strongly recommend NOT to use SNEGO but define some QOP handshake and
default to the "strongest" algorithms from this handshake.

This is much easier to handle for the application -- since the app isn't
actually bothered with it -- especially when all other "characteristics"
remain unchanged, like:
   - namespace
   - number of message exchanges for context establishment
   - availability of message integrity
   - availability of message confidentiality

When an application offers provisions to deal with gssapi mechanisms
of completely different nature (X.500 DNs and such), it tries to recognize
them by mechanism OID, and if you change that all the time, it will become
a real pain to update and maintain such mechanism OIDs in the application.


SPNEGO may be useful to select among a bunch of completely different
mechanisms with completely differing mechanism OIDs as part of
an infrastructure  (SPKM, Kerberos5, DASS(rip), MS-NTLM, ...).
which includes a standardized mapping between the differing native
namespaces.

-Martin

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
Date: Tue, 20 Jan 1998 14:05:33 -0800
From: Denis Pinkas <D.Pinkas@frcl.bull.fr>
Reply-To: D.Pinkas@frcl.bull.fr
Organization: Bull
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: "Mike Swift (NT)" <mikesw@microsoft.com>, cat-ietf@MIT.EDU
Subject: Re: Exportable encryption & Kerberos

(deleted stuff)

> Okay, politics aside:
 
(deleted stuff)

> - I still think that a general framework for negotiating encryption
>   types in an AP_REQ would be useful, for a number of reasons (for
>   example, when 3DES gets into MIT Kerberos, I'd like to be able to
>   use it as quickly as possible, but not have to upgrade all of
>   our application servers).  I know, this is tricky ... but I still
>   think it's solvable.

If negotiation is required, the question is where to perform the
negotiation: either within Kerberos or using SNEGO, which means outside
Kerberos.

I would recommend the use of SNEGO (soon to be closed) which allows to
negotiate all Kerberos flavours as soon as you suffix the Kerberos
mechanism with some identifier.

Denis

-- 

      Denis Pinkas     Bull S.A.         E-mail : D.Pinkas@frcl.bull.fr
      Rue Jean Jaures  B.P. 68            Phone : 33 - 1 30 80 34 87
      78340 Les Clayes sous Bois. FRANCE   Fax  : 33 - 1 30 80 33 21

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: Carlisle Adams <carlisle.adams@entrust.com>
To: "'deengert@anl.gov'" <deengert@anl.gov>
Cc: "'cat-ietf@mit.edu'" <cat-ietf@MIT.EDU>
Subject: RE: GSSAPI-SPKM
Date: Tue, 20 Jan 1998 18:13:57 -0500

Hi Douglas,

>----------
>From: 	Doug Engert[SMTP:deengert@anl.gov]
>Sent: 	Friday, January 09, 1998 9:37 AM
>To: 	Carlisle Adams
>Cc: 	cat-ietf@mit.edu
>Subject: 	GSSAPI-SPKM
>
>Carlisle,
>
>Are there any implementations of GSSAPI which implement
>SPKM - RFC-2025? Either comercial products or source code? 

None that I can think of off-hand.  I've heard of many projects that
have begun, but I don't know of products or reference implementations.

>Is the Entrust product RFC-2025 compliant? 

Yes, it is.

>If there are more then one, has there been an
>interoperability testing? 

I remember that we did limited interoperability testing some time ago
with another company, but I don't know if that company ever completed
their SPKM work (I think it's priority dropped as they shifted their
focus on to other things).

In any case, other implementations and interoperability testing are
necessary if the IETF might ever consider moving SPKM from Proposed to
Draft.  If there are volunteers out there, I'm sure Entrust would be
interested in participating in some interoperability testing
activities...


--------------------------------------------
Carlisle Adams
Entrust Technologies
cadams@entrust.com
--------------------------------------------


Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
Date: Wed, 21 Jan 1998 03:48:26 +0200 (EET)
From: Tatu Ylonen <ylo@ssh.fi>
To: "Mike Swift (NT)" <mikesw@microsoft.com>
Cc: Richard Salz <salzr@certco.com>, Michael.Eisler@Eng.Sun.COM, tytso@MIT.EDU,
        cat-ietf@MIT.EDU, kenh@cmf.nrl.navy.mil
Subject: RE: Exportable encryption & Kerberos
Organization: SSH Communications Security, Finland

> I am very open to other suggestions on how best to implement weakened
> encryption in Kerberos. I proposed a solution that is of limited scope but
> will work. If anybody else has other concrete suggestions I would very much
> like to hear them.

If I've understood right, Kerberos (the version distributed by MIT)
only implements weak encryption (i.e., single DES).  If this is no
longer the case, why not just revert to the single DES method used
earlier?  Single DES is demonstrably breakable even by groups of
amateurs on the internet.

Or do you want something that is so weak that it can be broken by
individual university undergraduates?  What would be the point of
using encryption that is so weak?  It would no longer protect
passwords or other data.

There is also a Kerberos implementation freely available from Sweden
that supports both DES and 3DES.  If you cannot export, why not just
use that?

Best regards,

    Tatu

-- 
SSH Communications Security	      http://www.ssh.fi/
SSH IPSEC Toolkit		      http://www.ssh.fi/ipsec.html
Free Unix SSH                         http://www.cs.hut.fi/ssh/

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
Date: Tue, 20 Jan 1998 22:07:49 -0500
To: Michael.Eisler@Eng.Sun.COM
Cc: mikesw@microsoft.com, kenh@cmf.nrl.navy.mil, cat-ietf@MIT.EDU
Subject: Re: Exportable encryption & Kerberos
From: tytso@MIT.EDU
Address: 1 Amherst St., Cambridge, MA 02139
Phone: (617) 253-8091

   Date: Sat, 17 Jan 1998 10:13:14 -0800 (PST)
   From: Mike Eisler <Michael.Eisler@eng.Sun.COM>

   The most recent TLS draft has "exportable" cipher suites in it. If
   nothing else, I would hope IESG is consistent in its treatment of the
   output from one WG versus another.

TLS has an optional "exportable" cipher suite, which standardized
existing practice.  The mandatory-to-implement cipher suite in TLS does
use crypto that takes longer than two hours to break.

We have indeed standardizing existing practice before; most notably in
the ONCRPC specs, where we documented an existing scheme which has the
unfortunate property of taking 45 minutes of CPU time to break all
possible keys used in that particular system.  However, that's different
from standardizing a new protocol extension which uses weak crypto.

   The practical reality is that these laws exist. Without some written
   definition of weak cryto, what will happen is various implementers will
   implement non-interoperable schemes. An Informational RFC on 40 bit
   Kerberos V5 privacy would be useful for that reason.

Well, if we're going to do weak crypto, we should at least do it right,
which means defining a new Kerberos V5 encryption type, instead of using
the kludge which Mike was suggesting.  (Mike, speaking of which, I need
to talk to you off-line; the hack you guys are using in NT 5.0 Beta 1 to
indicate a NTLM string-to-key algorithm with an unregistered,
undocumented encryption type is *really* not the best way to do
things...)

It's not clear wheather or not the IESG will published such an
Informational RFC, but I do understand the argument that there should be
one broken way of doing insecure crypto.

However, we should all note that an implementation can't be called
Kerberos-compliant unless it implements the mandatory-to-implement
encryption algorithms --- and this position *is* consistent with the
stand that the IESG has taken in the past on IPSEC, TLS, etc.

						- Ted

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
Date: Tue, 20 Jan 1998 22:08:53 -0500
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: "Mike Swift" <mikesw@microsoft.com>
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, cat-ietf@MIT.EDU
Subject: Re: Exportable encryption & Kerberos
Address: 1 Amherst St., Cambridge, MA 02139
Phone: (617) 253-8091

   From: "Mike Swift (NT)" <mikesw@microsoft.com>
   Date: Tue, 20 Jan 1998 12:31:22 -0800

   As an alternative, we could extend that AUTHENTICATOR by allowing the subkey
   to be a sequence. This would allow the client to propose a list of subkeys
   and allow the server to select a subkey to return in the AP reply. 

This won't work, because the result will be completely incompatible with
existing implementations, that won't be expecting an ASN.1 sequence
there.

					- Ted

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
Date: Wed, 21 Jan 1998 12:11:47 -0500
From: Fengmin Gong <gong@mcnc.org>
Organization: MCNC, Advanced Networking
To: cat-ietf@MIT.EDU
Subject: Questions on RFC2078

Hi there,

I am planning to use GSS-API and IDUP-GSS-API in a DARPA
project.  The gist of the project is to create a GSS-API
/IDUP-GSS-API mechanisms implementation which actually
utilizes other security mechansims (ATM cell encryptor,
IPSEC, crypto accellerator etc) to satisfy certain security
service needs of network applications.  Those security
mechanisms are typically distributed among different protocol
layers or across the network.  We want to be able to
utilize them in a dynamic fashion.

Ok, here are my specific questions/suggestions regarding
the GSS-API V2 as specified by RFC2078.  I may be ignorant
of any new development in the CAT group on GSS-API.  I will
appreciate very much the feedback from the active developers
of the spec.  I have sent my subscription to 
cat-ietf-request@mit.edu, but please copy me specifically
in your reply just to be sure.

1) RFC2078 does not inlcude any input parameters for indicating
applications' desire regarding the services or QoP in the
context initilization call.  Those parameters are deferred to
the per-message calls.  It seems reasonable to expect the
applications to have some idea of what they would like to do
with the context when they try to establish one.  In my
project scenario, most of the setup and coordination would
take place at context establishment time but I do not have
those important information to go with.  I have found out that
IDUP-GSS-API draft (dated March 25, 1997) does include such
parameters for the environment establishment call, shouldn't
GSS-API do the same?  It should be pointed out that having
the similar parameters at the per-message level is still a
good idea and should be kept there.

2) The kind of scenarios I face also desire another
feature that is missing from RFC2078 spec, i.e., a kind
of "delegation mode" per-message protection call. For example,
a GSS_Wrap_and_send() call will do all the things that
GSS_Wrap() does now, but in addition will send the wrapped
message out of the network protocol stack instead of
returning it to the caller.  Although I could make do by 
returning the original message to the caller as appropriate, 
it does have some efficiency implication.

I realize that this requirement seems to run against the
GSS-API principle of "protocol environment independence"
but I can also argue otherwise.  Availability of such 
delegation feature will be mechasnism dependent, similar
to QoP support; it can be made known to the applications
at context establishment item using those service flags;
separate per-message calls avoid changing any of the
existing calls.

Thanks for your attention,
Fengmin

--
Fengmin Gong, D.Sc.			E-mail: gong@mcnc.org
Manager, Advanced Networking Research	Phone:  919 248-9214
MCNC, P.O.Box 12889			FAX:    919 248-1455
3021 Cornwallis Rd., RTP, NC 27709	WWW:	http://www.mcnc.org

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: Carlisle Adams <carlisle.adams@entrust.com>
To: "'cat-ietf@mit.edu'" <cat-ietf@MIT.EDU>,
        "'Graham Bland'"
	 <gbland@zergo.com>
Subject: RE: IDUP Compatibility of call sets
Date: Wed, 21 Jan 1998 14:09:06 -0500

Hi Graham,

>----------
>From: 	Graham Bland[SMTP:gbland@zergo.com]
>Sent: 	Thursday, January 15, 1998 5:31 AM
>To: 	cat-ietf@mit.edu
>Subject: 	IDUP Compatibility of call sets
>
>Another question or change:
>
>When generating evidence by the EV call subset evidence_check is returned as 
>an octet string (implemented as a gss_buffer_t) which will be opaque to the 
>caller.
>
>When the EV calls are used for the verification of the evidence this is 
>passed to idup_ev_xxbuffer_startverify() in the same format.  However if the 
>GP calls are used for the verify I cannot see how  the evidence_check 
>contents can be mapped onto the parameters of the idup_start_unprotect call.
>
>Can anybody help or is this a change to the specification ?

The corresponding entity in the GP calls is the (input parameter)
service_verification_info in Unprot_Service.  This is specified in IDUP
to be of type Service_Verification_Info, which is described as a
mechanism-defined parameter bundle.

I tried to make this as general as possible (in keeping with the GP
calls themselves), by allowing total freedom in number and type of
parameters in the Service_Verification_Info bundle.  However, in
practice I think that most mechanism specifications will simply define a
single parameter which is an opaque OCTET STRING, thereby allowing what
you are proposing above (i.e., that evidence may be generated by an EV
call and verified by a GP call, or vice versa).


--------------------------------------------
Carlisle Adams
Entrust Technologies
cadams@entrust.com
--------------------------------------------


Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: Carlisle Adams <carlisle.adams@entrust.com>
To: "'cat-ietf@mit.edu'" <cat-ietf@MIT.EDU>,
        "'Graham Bland'"
	 <gbland@zergo.com>
Subject: RE: GSS and IDUP
Date: Wed, 21 Jan 1998 14:19:15 -0500

Hi Graham,

>----------
>From: 	Graham Bland[SMTP:gbland@zergo.com]
>Sent: 	Wednesday, January 14, 1998 9:12 AM
>To: 	cat-ietf@mit.edu
>Subject: 	GSS and IDUP
>
>Firstly apology on two counts.
>The timing of these comments is poor following last call, however at that 
>time I had no comments.
>
>Secondly the length, this is a collection of comments and issues rather than 
>sending each as a seperate email I have collated them together.
>
>The background from most of these has come from looking at an environment 
>which will support both GSS and GSS-IDUP.  All are based on the latest 
>documents.

Thank you for the detailed comments and for your interest in an
environment that supports GSS and IDUP together.

I hope to issue a revised IDUP draft over the next few weeks (taking
into account input from various conversations at the Washington IETF
meeting in December).  At that time I will respond to, and incorporate,
your comments as best I can.  If you don't mind just being patient for a
couple of weeks while I finish up some other work, I would really
appreciate it...

Thanks again!


--------------------------------------------
Carlisle Adams
Entrust Technologies
cadams@entrust.com
--------------------------------------------


Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Linn, John" <jlinn@securitydynamics.com>
To: "cat-ietf@MIT.EDU" <cat-ietf@MIT.EDU>, "'Fengmin Gong'" <gong@mcnc.org>
Subject: RE: Questions on RFC2078
Date: Wed, 21 Jan 1998 16:15:32 -0500

Fengmin Gong writes, excerpting:

> 1) RFC2078 does not inlcude any input parameters for indicating
> applications' desire regarding the services or QoP in the
> context initilization call.  Those parameters are deferred to
> the per-message calls.  It seems reasonable to expect the
> applications to have some idea of what they would like to do
> with the context when they try to establish one.  In my
> project scenario, most of the setup and coordination would
> take place at context establishment time but I do not have
> those important information to go with.  I have found out that
> IDUP-GSS-API draft (dated March 25, 1997) does include such
> parameters for the environment establishment call, shouldn't
> GSS-API do the same?  It should be pointed out that having
> the similar parameters at the per-message level is still a
> good idea and should be kept there.
> 
The current working draft successor to rfc2078
(draft-ietf-cat-rfc2078bis-01.txt) adds conf_req_flag and integ_req_flag
inputs to gss_init_sec_context().  These service request indicators,
unlike QOP values, can be provided in a mechanism-independent fashion
and (given that bindings represent the flags as bits within an already
existing word) were possible to add in a backward-compatible fashion.
QOP requests would be mechanism-specific and would require
less-compatible changes to the call signature. 

> 2) The kind of scenarios I face also desire another
> feature that is missing from RFC2078 spec, i.e., a kind
> of "delegation mode" per-message protection call. For example,
> a GSS_Wrap_and_send() call will do all the things that
> GSS_Wrap() does now, but in addition will send the wrapped
> message out of the network protocol stack instead of
> returning it to the caller.  Although I could make do by 
> returning the original message to the caller as appropriate, 
> it does have some efficiency implication.
> 
> I realize that this requirement seems to run against the
> GSS-API principle of "protocol environment independence"
> but I can also argue otherwise.  Availability of such 
> delegation feature will be mechasnism dependent, similar
> to QoP support; it can be made known to the applications
> at context establishment item using those service flags;
> separate per-message calls avoid changing any of the
> existing calls.
> 
Mechanism dependence issues aside, this sort of coupling could also be
specific not only to protocol environments but also to the communication
access APIs used within an end system. If appropriate in a particular
environment, it's certainly possible to wrap GSS calls within a veneer
which also bundles invocation of communications-level calls; would the
incremental efficiency obtainable by implementing such a veneer below
the declared GSS boundary be sufficiently motivating relative to a
separate modular layer above GSS?

> Thanks for your attention,
> Fengmin
> 
--jl

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
Date: Thu, 22 Jan 1998 09:36:54 GMT
From: lig@gb.swissbank.com (Guang Li)
To: cat-ietf@MIT.EDU, gong@mcnc.org, jlinn@securitydynamics.com
Subject: RE: Questions on RFC2078
X-Sun-Charset: US-ASCII


Fengmin Gong & jl writes, excerpting:

	> 2) The kind of scenarios I face also desire another
	> feature that is missing from RFC2078 spec, i.e., a kind
	> of "delegation mode" per-message protection call. For example,
	> a GSS_Wrap_and_send() call will do all the things that
	> GSS_Wrap() does now, but in addition will send the wrapped
	> message out of the network protocol stack instead of
	> returning it to the caller.  Although I could make do by 
	> returning the original message to the caller as appropriate, 
	> it does have some efficiency implication.
	> 
	> I realize that this requirement seems to run against the
	> GSS-API principle of "protocol environment independence"
	> but I can also argue otherwise.  Availability of such 
	> delegation feature will be mechasnism dependent, similar
	> to QoP support; it can be made known to the applications
	> at context establishment item using those service flags;
	> separate per-message calls avoid changing any of the
	> existing calls.
	> 
	Mechanism dependence issues aside, this sort of coupling could also be
	specific not only to protocol environments but also to the communication
	access APIs used within an end system. If appropriate in a particular
	environment, it's certainly possible to wrap GSS calls within a veneer
	which also bundles invocation of communications-level calls; would the
	incremental efficiency obtainable by implementing such a veneer below
	the declared GSS boundary be sufficiently motivating relative to a
	separate modular layer above GSS?

this is indeed the case for many GSS applications, notably the
OMG's SECIOP. BTW, GSS manages its own buffers, which introduces
unnecessary message copys, and is apparently againest high-performance
protocol design principles.

Dr. Guang X. Li
Information Technology
SBC Warburg Dillon Read
Swiss Bank Corporation
1 Finsbury Avenue
London EC2M 2PP
	

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: Martin Rex <martin.rex@sap-ag.de>
Subject: Re: Questions on RFC2078
To: lig@gb.swissbank.com (Guang Li)
Date: Mon, 26 Jan 1998 19:44:56 +0100 (MEZ)
Cc: cat-ietf@MIT.EDU
Reply-To: Martin.Rex@sap-ag.de


Guang Li wrote:
> 
> this is indeed the case for many GSS applications, notably the
> OMG's SECIOP. BTW, GSS manages its own buffers, which introduces
> unnecessary message copys, and is apparently againest high-performance
> protocol design principles.

Those "unecessary" message copies make the gss-api much simpler and
more robust as an API, both in the gssapi mechanism and the application.
Neither has to care about alignment, blocksize, padding and the case
that the supplied buffer is too small.  The performance impact should
in general be less than 2%, so basically insignificant.

For message integrity only one could use gss_getmic()/gss_verifymic(),
which doesn't copy the message, for confidentiality protection
the extra copy is really in the noise of the encryption.

-Martin

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Mike Swift (NT)" <mikesw@microsoft.com>
To: cat-ietf@mit.edu
Subject: Proposed draft on name referrals in Kerberos
Date: Mon, 26 Jan 1998 13:48:35 -0800

Here is the initial draft of a proposal on handling name referrals in
Kerberos. I haven't decided yet whether this should be put through the CAT
group or simply published as an information draft about the Microsoft
implementation of Kerberos. However, I'm interested in people's feedback on
the mechanism in general.

------------------------------------------------------------------------


CAT Working Group                           Michael M. Swift
INTERNET-DRAFT                                     Microsoft
<draft-ietf-cat-init-kerb-referrals-00.txt >
Expires July 15, 1998                       January 15, 1998



                  Generating KDC Referrals


STATUS OF THIS MEMO

This document is an Internet-Draft. Internet-Drafts are
working documents of the Internet Engineering Task Force
(IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-
Drafts.

Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by
other documents at any time. It is inappropriate to use
Internet-Drafts as reference material or to cite them other
than as "work in progress".

To learn the current status of any Internet-Draft, please
check the "1id-abstracts.txt" listing contained in the
Internet-Drafts Shadow Directories on ftp.is.co.za (Africa),
nic.nordu.net (Europe), munnari.oz.au (Pacific Rim),
ds.internic.net (US East Coast), or ftp.isi.edu (US West
Coast).

Distribution of this document is unlimited.  Please send
comments to the CAT working group at cat-ietf@mit.edu or the
authors.

ABSTRACT

The draft proposes a new method for a Kerberos Key
Distribution Center (KDC) to respond to client requests for
tickets. The KDC will handle requests for principals in
other realms by returning either a referral error or a cross-
realm TGT to another realm on the referral path.

Table of Contents

1.      Introduction                    2

2.      Security Considerations         2

3.      References                      2




1.   Introduction

The Kerberos TGS and AS protocols, as defined in RFC 1510
[1], require that client software be able to parse principal
names into a realm and an account portion. However, if a
site want to deploy a Kerberos realm infrastructure
separately from its DNS infrastructure, Kerberos must be
able to handle the case where the client software does not
know what realm contains a given service or user principal
name. In addition, the current protocol requires the client
to know the hierarchy of realms by explicitly asking for a
referral to a specific realm rather than letting the KDC
pick the next realm on the referral path.

To rectify these problems, this draft introduces three new
kinds of KDC referrals:

1.   AS ticket referrals, in which the client doesnt know
     which realm contains a user account.
2.   TGS ticket referrals, in which the client doesnt know
     which realm contains a server account.
3.   Cross realm shortcut referrals, in which the KDC
     chooses the next path on a referral chain


2.   Realm Organization Model

This draft assumes that the world of principals is arranged
on multiple levels: the realm, the enterprise, and the
world. A KDC may issue tickets for any principal in its
realm or cross-realm tickets for realms with which it has a
direct trust relationship. A realm has access to a directory
or name service that can resolve any name from within its
enterprise into a realm. In addition, at the top of an
enterprise hierarchy there is a list of trusted enterprises
in the world and information on what names are owned by
those enterprises.

For example, consider the following configuration, where
lines indicate trust relationships:

              MS.COM ---------------------- MIT.EDU
            /       \                     /         \
          /           \                 /            \
     OFFICE.MS.COM  NT.MS.COM      LCS.MIT.EDU ATHENA.MIT.EDU

In this configuration, all users in the MS.COM enterprise
could have a principal name such as Alice@ms.com, with the
same realm portion, and all users in the MIT.EDU enterprise
could have principal names as Bob@mit.edu. In addition,
servers at MS.COM should be able to have DNS host names from
any DNS domain independent of what Kerberos realm their
principal resides in. Finally, users from the MIT.EDU and
MS.COM enterprises should be able to authenticate to
services in the other enterprise.

In this model, all realms in the MS.COM enterprise must end
in MS.COM and all realms in the MIT.EDU enterprise must
end in MIT.EDU. While it is not necessary that all names
in both enterprise end in these postfixes, names that dont
will not be usable from the other enterprise.


3.   Name Types

In order to indicate to the KDC that a name may not be
present in its realm, this protocol introduces a new name
type: KRB_NT_ENTERPRISE_PRINCIPAL = 10, indicating that the
name is an enterprise principal and may not exist in the
target domain. In addition and unlike other principal names,
the entire name is transmitted rather than separating it
into name parts. This allows the whole name to be looked up
as it was entered without any processing on the client.

4.   AS Ticket Referrals

The simplest form of ticket referral is for a user
requesting an AS ticket. In this case, the client machine
will send the AS request to a convenient realm, probably
either the realm of the client machine or the realm portion
of the name. In the case of the name Alice@ms.com, the
client may optimistically choose to send the request to
MS.COM. The client will send both Alice and ms.com in
the principal name field. The KDC will try to lookup the
name in its local account database. If the account is
present, it will return a KDC reply structure with the
appropriate ticket. If the account is not present, it will
try to lookup the entire name (Alice@ms.com) in the
enterprise directory. If this lookup is unsuccessful, it
will return the error KDC_ERR_C_PRINCIPAL_UNKNOWN. The
client realm field will contain the realm of the root of the
enterprise. If the lookup is successful, it will return an
error KRB_ERR_WRONG_REALM (0x44) and in the error message,
the cname and crealm field will contain the client name and
the true realm of the client.

If the client receives a KDC_ERR_WRONG_REALM error, it will
issue a new AS request to the realm specified by the crealm
field of the error message. In this case, the client should
fail if it receives another referral. This error indicates
an authoritative referral  the account really is in the
domain specified.

If the client received a KDC_ERR_C_PRINCIPAL_UNKNOWN error
and a crealm other than the realm of the original KDC, it
should issue an AS request against that realm. The error
indicates that the client can expect another referral from
this request. Typically, the original realm will refer the
client to the root of the enterprise, which will then refer
the client to the root of another enterprise, which will
then refer the client to the correct realm in the other
enterprise. This may require that enterprise by pre-
configured for trust or that the KDC is able to locate a KDC
in another realm from the DNS portion of a name in order to
do public-key cross-realm trust.


5.   TGS Referrals

The TGS referral mechanism is a bit more complex than the AS
referral mechanism. The primary problem is that the KDC must
return a referral ticket rather than an error message, so it
must include in the TGS response information about what
realm contains the service. This is done by returning
information about the server name in the pre-auth data field
of the KDC reply.
There are two types of referrals: authoritative referrals,
in which the original KDC knows what realm contains a
service,and non-authoritative referrals, in which the KDC
doesnt know issues a referral to a realm that may know
where the service is located.

5.1  Authoritative TGS Referrals

In this case, the KDC has successfully resolved the server
principal name into a Kerberos realm. In this case, the KDC
will return the a server realm as a PA data type. The data
itself is an asn.1 encoded Realm and the following type:

#define KRB5_PADATA_SERVER_REALM   19

The client can use this information to request follow a
chain of cross-realm TGTs until it reaches this realm, and
can then expect to receive a valid service ticket.


5.2  Non-Authoritative TGS referrals

In the case that the KDC cant resolve the name but can
determine that it probably comes from another enterprise
(the realm portion of the name has a different postfix). In
this case, the KDC will return a referral ticket to a realm
closer on the route to the other enterprise, which will
generally be either the parent of the domain or a domain in
the other enterprise. The KDC will also return the name of a
realm in which the client should try to resolve the name in
a pre-auth data field:
#define KRB5_PADATA_SERVER_REFERRAL_REALM    20


5.3  Client Operations

In both the authoritative and non-authoritative referral
case, the client should follow the referral chain until it
hits the KDC for the realm specified by the original TGS
response. At that point it should attempt to get a TGS
ticket to the server principal name. If the original
referral was authoritative, the client can expect this to
return the correct ticket. If the original referral was not
authoritative, the client should expect this request to
return another referral realm and another cross-realm TGT.

Non-authoritative referrals have the possibility of becoming
a goose chase in which each realm refers the client to
another realm without ever terminating. In this case, the
client code will have to decide when to terminate the search
by bounding the number of non-authoritative referrals it
follow. If enterprises directly trust each other, it is
suggested that a client follow no more than two non-
authoritative referrals.


6.   Cross Realm Routing

The current Kerberos protocol requires the client libraries
to explicitly request a cross-realm TGT for each pair of
realms on a referral chain. As a result, the client machines
need to be aware of the trust hierarchy and of any short-cut
trusts (those that arent parent-child trusts). This
requires a lot of configuration on the client. Instead, the
client should be able to request a TGT to the target realm
from each realm on the route. The KDC will determine the
best path for the client and return a cross-realm TGT. The
client software has to be aware that a request for a cross-
realm TGT may return a TGT for a realm different from the
one requested.

7.   Security Considerations

The original Kerberos specification stated that the server
principal name in the KDC reply was the same as the server
name in the request. These protocol changes break that
assumption, so the client may be vulnerable to a denial of
service attack by an attacker that replays replies from
previous requests. It can verify that the request was one
its own by checking the client-address field or authtime
field, though, so the damage is limited.


8.    References

  [1]  J. Kohl, C. Neuman.  The Kerberos Network
     Authentication Service(V5).  Request for Comments 1510.
  [2]  J. Linn.  The Kerberos Version 5 GSS-API Mechanism.
     Request for Comments 1964
  [3] B. Tung, C. Neuman, J. Wray, A. Medvinsky, M. Hur, J.
     Trostle, Public Key Cryptography for Initial
     Authentication in Kerberos, draft-ietf-cat-kerberos-pk-
     init-04.txt.
  [4] M. Swift, User to User Kerberos Authentication using
     GSS-API, draft-ietf-cat-user2user-01.txt.




Authors Address:
Michael Swift
Microsoft
1 Microsoft Way
Redmond, Washington, 98052, U.S.A.
Email: mikesw@microsoft.com


Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
To: "Mike Swift (NT)" <mikesw@microsoft.com>
Cc: cat-ietf@MIT.EDU
Subject: Re: Proposed draft on name referrals in Kerberos
X-Emacs: 19.34
From: joda@pdc.kth.se (Johan Danielsson)
Date: 27 Jan 1998 17:58:19 +0100
Lines: 6


Couldn't this more easily be solved with some `mail address' to
principal conversion database? For hosts such a database is already in
widespread use.

/Johan

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Mike Swift (NT)" <mikesw@MICROSOFT.com>
To: joda@pdc.kth.se
Cc: cat-ietf@MIT.EDU
Subject: RE: Proposed draft on name referrals in Kerberos
Date: Tue, 27 Jan 1998 09:55:20 -0800

The problem is that there is not a mapping between the domain portion of the
email name and the Kerberos realm. As a result, it is not possible for a
client machine to discover the correct realm for a particular name. In
addition, as this mechanism is used for obtaining the initial ticket, the
name mapping from a meta-directory cannot be trusted. By integrating the
mapping with the Kerberos protocol the client can trust the KDC to perform
the mapping properly.

- Mike

-----Original Message-----
From: joda@pdc.kth.se [mailto:joda@pdc.kth.se]
Sent: Tuesday, January 27, 1998 8:58 AM
To: Mike Swift (NT)
Cc: cat-ietf@mit.edu
Subject: Re: Proposed draft on name referrals in Kerberos



Couldn't this more easily be solved with some `mail address' to
principal conversion database? For hosts such a database is already in
widespread use.

/Johan

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Mike Swift (NT)" <mikesw@MICROSOFT.com>
To: cat-ietf@MIT.EDU
Subject: Kerberos over TCP/IP
Date: Tue, 27 Jan 1998 10:13:52 -0800

I think that we should add a method for the KDC to return an error to the
client indicating that the client needs to use a different transport. For
example, if the client tries to do PKINIT over UDP and the KDC discovers
that the response won't fit in a datagram, the KDC should be able to return
an error indicating that the client should switch to TCP. We don't
necessarily need to code exactly that message, but perhaps a new error code,
such as KDC_ERR_RESPONSE_TOO_BIG, indicating that the transport can't handle
the size of the response. The client would then be responsible for finding a
transport that could handle a larger message.

In addition, another scenario in which the KDC would want the client to
change transports is if it knows it won't be able to respond within the
timeout for UDP. It is conceivable that with PK-CROSS, in which the KDC may
need to locate and communicate with a KDC in another realm, that it won't be
able to respond within the client's timeout. Perhaps we could formalize a
mechanism for the KDC to return a keep-alive, indicating that the client
should wait longer. One way to do this would be for the KDC to return a
KRB-ERROR message with an error KDC_ERR_PENDING, and a e-data value
indicating how long the client shoud wait. That would allow longer running
transactions to work reasonably over UDP.

- Mike

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
X-Sender: matth@pop-srvr.cybersafe.com
Date: Tue, 27 Jan 1998 10:29:55 -0800
To: "Mike Swift (NT)" <mikesw@MICROSOFT.com>, cat-ietf@MIT.EDU
From: Matt Hur <matt.hur@CyberSafe.COM>
Subject: Re: Proposed draft on name referrals in Kerberos

<x-rich>At 01:48 PM 1/26/98 -0800, you wrote:

>Here is the initial draft of a proposal on handling name referrals in

>Kerberos. I haven't decided yet whether this should be put through the CAT

>group or simply published as an information draft about the Microsoft

>implementation of Kerberos. However, I'm interested in people's feedback on

>the mechanism in general.

>


 ...


>6.   Cross Realm Routing

>

>The current Kerberos protocol requires the client libraries

>to explicitly request a cross-realm TGT for each pair of

>realms on a referral chain. As a result, the client machines

>need to be aware of the trust hierarchy and of any short-cut

>trusts (those that arent parent-child trusts). This

>requires a lot of configuration on the client. Instead, the

>client should be able to request a TGT to the target realm

>from each realm on the route. The KDC will determine the

>best path for the client and return a cross-realm TGT. The

>client software has to be aware that a request for a cross-

>realm TGT may return a TGT for a realm different from the

>one requested.

>

 ...



PKCROSS specifies the following:


    Optionally, the local KDC may add another TicketExtention where

       te-type equals 5 for TE-TYPE-DEST-HOST

    and

       te-data is ASN.1 encoding of DestHost.

    A client could then rely on the local KDC to provide a referral to

    the remote KDC, thus removing the need for the client to maintain

    local host/realm mapping information.


    DestHost ::= SEQUENCE {

           DNSHostname [0]    OCTET STRING,

                              -- authoritative DNS hostname

           HostAddr    [1]    HostAddress OPTIONAL

                              -- as defined by RFC 1510

    }



I think that it would be preferable for your implementation to use this mechanism.


--Matt



<italic><color><param>0000,0000,ffff</param>---------------------------------------------------------------

Matt Hur                      CyberSafe

matt.hur@cybersafe.com        1605 NW Sammamish Road, Suite 310

(425) 391-6000 x154 voice     Issaquah, WA 98027-5378

(425) 391-0508 fax            http://www.cybersafe.com

</color></italic>

</x-rich>
Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Mike Swift (NT)" <mikesw@MICROSOFT.com>
To: Matt Hur <matt.hur@CyberSafe.COM>, cat-ietf@MIT.EDU
Subject: RE: Proposed draft on name referrals in Kerberos
Date: Tue, 27 Jan 1998 10:41:02 -0800

It seemed to me that the suggestion from PK-CROSS was a starting point but
not sufficient. It let the client know what server to talk to but not what
realm, and as a result the client can't take advantage of existing
cross-realm TGTs in its cache. In addition, I'm not convinced that the KDC
is the best service to be returning the address of a KDC to the client. In
the case where you have a multiple widely distributed realm, it may be that
there is another KDC closer that could be looked up in DNS. 
 
- Mike

 -----Original Message-----
From: Matt Hur [mailto:matt.hur@CyberSafe.COM]
Sent: Tuesday, January 27, 1998 10:30 AM
To: Mike Swift (NT); cat-ietf@mit.edu
Subject: Re: Proposed draft on name referrals in Kerberos



At 01:48 PM 1/26/98 -0800, you wrote: 

>Here is the initial draft of a proposal on handling name referrals in 
>Kerberos. I haven't decided yet whether this should be put through the CAT 
>group or simply published as an information draft about the Microsoft 
>implementation of Kerberos. However, I'm interested in people's feedback on

>the mechanism in general. 
> 

... 

>6. Cross Realm Routing 
> 
>The current Kerberos protocol requires the client libraries 
>to explicitly request a cross-realm TGT for each pair of 
>realms on a referral chain. As a result, the client machines 
>need to be aware of the trust hierarchy and of any short-cut 
>trusts (those that arent parent-child trusts). This 
>requires a lot of configuration on the client. Instead, the 
>client should be able to request a TGT to the target realm 
>from each realm on the route. The KDC will determine the 
>best path for the client and return a cross-realm TGT. The 
>client software has to be aware that a request for a cross- 
>realm TGT may return a TGT for a realm different from the 
>one requested. 
> 
... 


PKCROSS specifies the following: 

Optionally, the local KDC may add another TicketExtention where 
te-type equals 5 for TE-TYPE-DEST-HOST 
and 
te-data is ASN.1 encoding of DestHost. 
A client could then rely on the local KDC to provide a referral to 
the remote KDC, thus removing the need for the client to maintain 
local host/realm mapping information. 

DestHost ::= SEQUENCE { 
DNSHostname [0] OCTET STRING, 
-- authoritative DNS hostname 
HostAddr [1] HostAddress OPTIONAL 
-- as defined by RFC 1510 
} 


I think that it would be preferable for your implementation to use this
mechanism. 

--Matt 


--------------------------------------------------------------- 
Matt Hur CyberSafe 
matt.hur@cybersafe.com 1605 NW Sammamish Road, Suite 310 
(425) 391-6000 x154 voice Issaquah, WA 98027-5378 
(425) 391-0508 fax http://www.cybersafe.com 

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
To: "Mike Swift (NT)" <mikesw@microsoft.com>
Cc: cat-ietf@mit.edu
Subject: Re: Proposed draft on name referrals in Kerberos
X-Emacs: 19.34
From: joda@pdc.kth.se (Johan Danielsson)
Date: 27 Jan 1998 21:28:01 +0100
Lines: 19

"Mike Swift (NT)" <mikesw@MICROSOFT.com> writes:

> The problem is that there is not a mapping between the domain
> portion of the email name and the Kerberos realm.

Not an obvious, no. That's what you need a database for.

> In addition, as this mechanism is used for obtaining the initial
> ticket, the name mapping from a meta-directory cannot be trusted.

No, but you don't have to. You can at most accomplish denial of
service.

> By integrating the mapping with the Kerberos protocol the client can
> trust the KDC to perform the mapping properly.

How can you know that it ism't a fake KDC you are talking to?

/Johan

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Renard, Kenneth" <krenard@securitydynamics.com>
To: cat-ietf@MIT.EDU, "'Mike Swift (NT)'" <mikesw@MICROSOFT.com>
Subject: RE: Kerberos over TCP/IP
Date: Tue, 27 Jan 1998 15:41:53 -0500

A KDC_ERR_PENDING message would be pretty useful for high-latency
transactions such as One-Time-Password (OTP) pre-authentication.
Current scenario:
	
	AS client (kinit) sends request to primary KDC
	Primary KDC starts up high-latency preauth check (e.g. SecurID
code)
	AS client times out and sends request to secondary KDC
	Secondary KDC starts preauth check [This is now the 2nd time the
OTP is
		used, the 2nd attempt will fail, the 1st attempt may
fail now too]
	Race to see which KDC (primary KDC with auth success(?) or
secondary with 		failure) comes back first

A KDC_ERR_PENDING message would do the trick.  Should this type of
message [and timeout value] be signed by the KDC (encrypted with user
key)?

Unfortunately, for all AS and TGS transactions, the KDC process blocks.
If KDC throughput is an issue, you want to stay away from these.  Anyone
want to write a Multi-Threaded KDC??

-Ken Renard

> ----------
> From: 	Mike Swift (NT)[SMTP:mikesw@MICROSOFT.com]
> Sent: 	Tuesday, January 27, 1998 1:13 PM
> To: 	cat-ietf@MIT.EDU
> Subject: 	Kerberos over TCP/IP
> 
> I think that we should add a method for the KDC to return an error to
> the
> client indicating that the client needs to use a different transport.
> For
> example, if the client tries to do PKINIT over UDP and the KDC
> discovers
> that the response won't fit in a datagram, the KDC should be able to
> return
> an error indicating that the client should switch to TCP. We don't
> necessarily need to code exactly that message, but perhaps a new error
> code,
> such as KDC_ERR_RESPONSE_TOO_BIG, indicating that the transport can't
> handle
> the size of the response. The client would then be responsible for
> finding a
> transport that could handle a larger message.
> 
> In addition, another scenario in which the KDC would want the client
> to
> change transports is if it knows it won't be able to respond within
> the
> timeout for UDP. It is conceivable that with PK-CROSS, in which the
> KDC may
> need to locate and communicate with a KDC in another realm, that it
> won't be
> able to respond within the client's timeout. Perhaps we could
> formalize a
> mechanism for the KDC to return a keep-alive, indicating that the
> client
> should wait longer. One way to do this would be for the KDC to return
> a
> KRB-ERROR message with an error KDC_ERR_PENDING, and a e-data value
> indicating how long the client shoud wait. That would allow longer
> running
> transactions to work reasonably over UDP.
> 
> - Mike
> 

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
To: "Renard, Kenneth" <krenard@securitydynamics.com>
Cc: cat-ietf@MIT.EDU
Subject: Re: Kerberos over TCP/IP 
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
	WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
	gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
Date: Wed, 28 Jan 1998 22:34:56 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

>A KDC_ERR_PENDING message would be pretty useful for high-latency
>transactions such as One-Time-Password (OTP) pre-authentication.

I thought that one of the design criteria of the KDC was that it
it was stateless ... it looks like to me that adding this would require
keeping track of state to the KDC.

And I have yet to understand why SecurID takes so long to perform
authentication, anyway :-)

--Ken

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: Ewald Kamp <e.kamp@stud.tue.nl>
To: "'cat-ietf@MIT.EDU'" <cat-ietf@mit.edu>
Subject: unsubscribe
Date: Thu, 29 Jan 1998 09:29:54 +-100

unsubscribe

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Wiebe,Philip" <Philip_Wiebe@racal.com>
To: cat-ietf@mit.edu
Subject: unsubscribe
Date: Thu, 29 Jan 1998 08:31:00 -0500

     unsubscribe

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: Ewald Kamp <e.kamp@stud.tue.nl>
To: "cat-ietf@mit.edu" <cat-ietf@mit.edu>
Subject: unsubscribe
Date: Thu, 29 Jan 1998 16:32:52 +-100

unsubscribe

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Mike Swift (NT)" <mikesw@MICROSOFT.com>
To: "Renard, Kenneth" <krenard@securitydynamics.com>,
        "'Ken Hornstein'"
	 <kenh@cmf.nrl.navy.mil>
Cc: cat-ietf@MIT.EDU, "'kerberos@mit.edu'" <kerberos@MIT.EDU>
Subject: RE: Kerberos over TCP/IP 
Date: Thu, 29 Jan 1998 09:16:05 -0800

The Microsoft KDC is multi-threaded and may need to support longer-running
requests - hence my interest in adding a pending message. In addition, I
think the error for indicating that the response message is too big to fit
in a UDP message is useful unless clients know to try TCP first, which they
may not want to for performance reasons.

- Mike
-----Original Message-----
From: Renard, Kenneth [mailto:krenard@securitydynamics.com]
Sent: Thursday, January 29, 1998 7:41 AM
Subject: RE: Kerberos over TCP/IP 

...

Hmmm... a multi-threaded KDC sounds pretty cool!  Any ideas/issues?

	> --Ken

-Ken R.

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
To: "Renard, Kenneth" <krenard@securitydynamics.com>
Cc: cat-ietf@MIT.EDU, "'kerberos@mit.edu'" <kerberos@MIT.EDU>
Subject: Re: Kerberos over TCP/IP 
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
	WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
	gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
Date: Thu, 29 Jan 1998 12:33:18 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

>Hmmm... a multi-threaded KDC sounds pretty cool!  Any ideas/issues?

I'm not sure this is appropriate for cat-ietf, buuuttt ...

Currently under Unix, threads present portability problems.  If you're
using one of the many userspace threads packages, you probably shouldn't
even bother, since they're non-preemptive and you'll just end up with
an event-driven KDC like you have now.

Even when you have kernel support for threads, the implementations I've
seen don't actually get you concurrency unless you have a multiprocessor
machine.

--Ken

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
Date: Thu, 29 Jan 1998 13:33:30 -0500 (EST)
From: Richard Salz <salzr@certco.com>
To: kenh@cmf.nrl.navy.mil, krenard@securitydynamics.com, mikesw@MICROSOFT.com
Subject: RE: Kerberos over TCP/IP
Cc: cat-ietf@MIT.EDU, kerberos@MIT.EDU

>The Microsoft KDC is multi-threaded and may need to support longer-running
>requests - hence my interest in adding a pending message. In addition, I
>think the error for indicating that the response message is too big to fit
>in a UDP message is useful unless clients know to try TCP first, which they
>may not want to for performance reasons.

This sounds like a big step down the slippery slope of re-implementing
an industrial-strength RPC system.  I don't think it's something
for this working group or this specification.
	/r$

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Mike Swift (NT)" <mikesw@microsoft.com>
To: Richard Salz <salzr@certco.com>
Cc: cat-ietf@MIT.EDU
Subject: RE: Kerberos over TCP/IP
Date: Thu, 29 Jan 1998 10:39:32 -0800

True, it is a rathole. However, will the Kerberos protocol function with the
new heavyweight extensions if something like this isn't added? I know DCE
went to RPC for the KDC, which resolves all these problems. The question is
how best to fix this for MIT kerberos - incrementally adding robustness
features or switch wholesale to a new transport protocol.

-----Original Message-----
From: Richard Salz [mailto:salzr@certco.com]
Sent: Thursday, January 29, 1998 10:34 AM
To: kenh@cmf.nrl.navy.mil; krenard@securitydynamics.com; Mike Swift (NT)
Cc: cat-ietf@MIT.EDU; kerberos@MIT.EDU
Subject: RE: Kerberos over TCP/IP


>The Microsoft KDC is multi-threaded and may need to support longer-running
>requests - hence my interest in adding a pending message. In addition, I
>think the error for indicating that the response message is too big to fit
>in a UDP message is useful unless clients know to try TCP first, which they
>may not want to for performance reasons.

This sounds like a big step down the slippery slope of re-implementing
an industrial-strength RPC system.  I don't think it's something
for this working group or this specification.
	/r$

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
Date: Thu, 29 Jan 1998 13:57:21 -0500 (EST)
From: Richard Salz <salzr@certco.com>
To: mikesw@MICROSOFT.com
Subject: RE: Kerberos over TCP/IP
Cc: cat-ietf@MIT.EDU

>True, it is a rathole. However, will the Kerberos protocol function with the
>new heavyweight extensions if something like this isn't added? I know DCE
>went to RPC for the KDC, which resolves all these problems. The question is
>how best to fix this for MIT kerberos - incrementally adding robustness
>features or switch wholesale to a new transport protocol.

I believe the best fix is to say "use another protocol" or "try TCP first."
This can be a "note to implementors" part of the spec.

I firmly believe this WG should not start down this path.  The slope is
way too steep.  Adding "in progress" (I prefer the ISO RPC name indy,
for I'm Not Dead Yet:) packets is a big step toward breaking the lockstep
request/reply nature of the protocol.  Especially because within 48 hours
of accepting this concept, someone will say that they are developing a
smart client and would like to ping the KDC themselves.  Etc.  The
slippery slope has a pretty steep slope, in my view.
	/r$

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Linn, John" <jlinn@securitydynamics.com>
To: "'CAT-WG List'" <cat-ietf@MIT.EDU>
Subject: draft-ietf-cat-rfc2078bis-02.txt enroute
Date: Thu, 29 Jan 1998 14:29:42 -0500

CAT/2078bis fanciers:

Along with this message, and per plan as declared at the DC meeting, I'm
sending a new revision of 2078bis to the secretariat, to become
draft-ietf-cat-rfc2078bis-02.txt, largely to respond to discussion at
the December CAT meeting refining and closing specific points re GSS-V2,
whose scope has been stable for some time.  I believe that we're very
close to convergence, but a few points (noted below) remain pending.
Please review the changes as summarized below, and identify any other
issues requiring resolution before submission of GSS-V2 Update 1 to the
IESG on behalf of the WG, to be considered for the status of a new
Proposed Standard to succeed RFC-2078.  I hope that we can achieve
closure on the remaining points shortly (in particular, by Friday, 5
February), as input to revising the document specifically against those
points and submitting the result to a CAT-WG Last-Call period to begin
later in February and to conclude before the March-April IETF meeting in
Los Angeles. 

Remaining open points are as follows:

[From DC minutes] "It was recognized that current GSS-API specifications
do not prescribe the error which should be returned if a reflected token
(a token received by the endpoint which generated it) is detected.  Many
existing mechanisms' protocols include provisions for detecting such
tokens, and it seems reasonable that a major_status code should be
selected to indicate this situation."  Martin Rex posted a comment about
this issue to the list on 8 December, proposing use of
GSS_S_DUPLICATE_TOKEN if a per-message call detects a reflected token
and recommending that such detection be mandated when the replay
detection service is provided, but I don't believe that follow-up
discussion ensued.  

[From DC minutes] "An additional RFC2078bis topic had been identified
for discussion, but was not considered within the time available and
therefore remains outstanding: should GSS_S_NO_CRED be returned by
per-message calls if credential elements are needed but unavailable in
order to complete an operation?"  

List discussion (21-26 January) included suggestions for (a) facilities
to indicate QoP preferences during context initiation and (b) new calls
coupling per-message protection with transmission of protected data over
the network protocol stack to the context's peer. I believe that
inclusion of (a) would violate the backward compatibility assumptions
which have guided us in scoping GSS-V2 changes, and that (b) would
represent a demonstrably contentious scope change at this time.  My
working assumption, therefore, is that consensus does not now exist for
reflection of these suggestions within rfc2078bis. 

List discussion, 15-20 January, re GSS-API per-message protection
negotiation; needs closure and evaluation of any resulting consideration
within documents. 

Note: Need either to add "changes from 2078" section, or merge
additional 2078bis changes into the existing "changes from GSS-V1"
section.

Changes made in 2078bis-02 relative to 2078bis-01 are as follows:

Re GSS_Inquire_sec_context(), stated that src_name and targ_name are not
returned unless the context being reported is in GSS_S_COMPLETE state,
to avoid ambiguity as to whether or not a name object is being returned
(and, therefore, whether or not the caller needs to release it).  [Done
in 2078bis-02]

Per 21 Nov discussion, removed CONTEXT_EXPIRED as error from
inquire_context, replacing with EXPIRED lifetime return value.  Stated
obligation to maintain inquirable context data on expired context until
released by caller, even though underlying crypto elements may be
deleted.  [Done in 2078bis-02]

The sense of December meeting attendees confirmed that
GSS_Inquire_context() would be aligned with the C bindings to add a
result value indicating whether or not a context was fully open.
Expired contexts are to be indicated with a reserved "lifetime" value
rather than by returning the fatal CONTEXT_EXPIRED error.  [Reflected in
2078bis-02]

Attendees confirmed list discussion regarding the indication of
informational sequencing errors along with GSS_S_COMPLETE and
GSS_S_FAILURE major_status: consistent with the C bindings, 2078bis will
reflect that the sequencing error status codes may be indicated along
with either COMPLETE or FAILURE for per-message calls; while this is
syntactically possible for context establishment calls as well, return
of sequencing error status along with COMPLETE (or CONTINUE_NEEDED) will
remain semantically prohibited during the context establishment phase.
[Reflected in 2078bis-02, sec. 1.2.1.1]

Regarding side effects, it was considered appropriate to state that
invocation of GSS-API calls incurs no side effects visible at the
GSS-API level (it being considered implausibly broad to rule out side
effects on other aspects of system behavior).  [Reflected in 2078bis-02,
sec. 1.2.8]

For GSS_Acquire_cred() and GSS_Add_cred(), GSS_S_NO_CRED, rather than
GSS_S_FAILURE as at present, is to be returned if an authorization
failure is encountered upon credential acquisition. This decision
reconciles previous inconsistent choices in the direction of informative
error reporting. [Reflected in 2078bis-02]

In discussion at the DC meeting, the idea of making provision of a
target name to GSS_Init_sec_context() optional was accepted; the
specific working proposal was to recommend that mechanisms accept
GSS_C_NO_NAME as an input target_name type.  [Added this recommendation
in 2078bis-02, in the discussion of GSS_Init_sec_context(); also added a
small GSS_C_NO_NAME section 4.8, alongside the descriptions of other
name types.]

If an exported name object is imported with GSS_Import_name() and the
enclosed mechanism type is not recognized or unsupported, it was
considered (consistent with list discussion) that GSS_S_BAD_MECH should
be returned.  [Reflected in 2078bis-02]

Discussion at the session confirmed that RFC2078bis is to be aligned
with the C bindings by removing (rather than deprecating, as is
currently the case) GSS_S_CREDENTIALS_EXPIRED as a return value from
per-message protection, context_time, and inquire_context calls.
[Reflected in 2078bis-02]

Regarding the acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials
with explicit names, it was considered at the DC meeting that an
explicit name as returned from GSS_Inquire_context() should be
acceptable as an input to credential acquisition.  It is important to
recognize that the explicit name which is yielded by resolution of a
reference to "default" may change over time, e.g., as a result of local
credential element management operations outside GSS-API. [Reflected in
2078bis-02, in texts for GSS_Acquire_cred() and GSS_Add_cred().]

--jl


John Linn (linn@rsa.com)
RSA Laboratories East, Bedford, MA, USA

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
To: "Mike Swift (NT)" <mikesw@microsoft.com>
Cc: Richard Salz <salzr@certco.com>, cat-ietf@MIT.EDU
Subject: Re: Kerberos over TCP/IP 
Date: Thu, 29 Jan 1998 16:36:49 -0500
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>

To inject some facts into the discussion, the decision to have DCE use
RPC in addition to (not instead of!) UDP/IP for KDC communication was
in many ways a political one and had nothing to do with the size of
the messages possible over UDP, or other properties of the transport
protocol.

DCE was intended to be transport-protocol independant, with all the
per-transport-protocol hair localized within RPC and all communication
done over RPC.  Sort of like IP, only at a slightly higher layer in
the stack.

So, in the case of Kerberos, the byte string containing the datagram
to be sent via UDP was instead passed as a byte array parameter in an
RPC...

I question the wisdom of bloating kerberos messages to the point where
they won't fit in a sub-path-MTU udp datagram... but if you have to do
that, the Right Answer is clearly to just use TCP...  but that adds
significant complexity to the KDC due to (among other things)
connection management and flow control issues..

				- Bill
				(DCE implementor...)

Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
X-Sender: matth@pop-srvr.cybersafe.com
Date: Thu, 29 Jan 1998 15:00:04 -0800
To: "Mike Swift (NT)" <mikesw@microsoft.com>, cat-ietf@mit.edu
From: Matt Hur <matt.hur@CyberSafe.COM>
Subject: RE: Proposed draft on name referrals in Kerberos

<x-rich>I believe that the PKCROSS specification is sufficient.  Please see embedded comments.


At 10:41 AM 1/27/98 -0800, Mike Swift (NT) wrote:

>It seemed to me that the suggestion from PK-CROSS was a starting point but

>not sufficient. It let the client know what server to talk to but not what

>realm, and as a result the client can't take advantage of existing


The realm is in the message returned from the KDC.


>cross-realm TGTs in its cache. In addition, I'm not convinced that the KDC


I'm not sure what you mean about taking advantage of existing cross realm tickets.  You want the client, upon receiving a cross realm TGT from the KDC, to then take advantage of a cross realm ticket that it has cached?


>is the best service to be returning the address of a KDC to the client. In

>the case where you have a multiple widely distributed realm, it may be that

>there is another KDC closer that could be looked up in DNS. 


There is no guarantee that DNS will map accordingly.


--Matt



> 

>- Mike

>

> -----Original Message-----

>From: Matt Hur [mailto:matt.hur@CyberSafe.COM]

>Sent: Tuesday, January 27, 1998 10:30 AM

>To: Mike Swift (NT); cat-ietf@mit.edu

>Subject: Re: Proposed draft on name referrals in Kerberos

>

>

>

>At 01:48 PM 1/26/98 -0800, you wrote: 

>

>>Here is the initial draft of a proposal on handling name referrals in 

>>Kerberos. I haven't decided yet whether this should be put through the CAT 

>>group or simply published as an information draft about the Microsoft 

>>implementation of Kerberos. However, I'm interested in people's feedback on

>

>>the mechanism in general. 

>> 

>

>... 

>

>>6. Cross Realm Routing 

>> 

>>The current Kerberos protocol requires the client libraries 

>>to explicitly request a cross-realm TGT for each pair of 

>>realms on a referral chain. As a result, the client machines 

>>need to be aware of the trust hierarchy and of any short-cut 

>>trusts (those that arent parent-child trusts). This 

>>requires a lot of configuration on the client. Instead, the 

>>client should be able to request a TGT to the target realm 

>>from each realm on the route. The KDC will determine the 

>>best path for the client and return a cross-realm TGT. The 

>>client software has to be aware that a request for a cross- 

>>realm TGT may return a TGT for a realm different from the 

>>one requested. 

>> 

>... 

>

>

>PKCROSS specifies the following: 

>

>Optionally, the local KDC may add another TicketExtention where 

>te-type equals 5 for TE-TYPE-DEST-HOST 

>and 

>te-data is ASN.1 encoding of DestHost. 

>A client could then rely on the local KDC to provide a referral to 

>the remote KDC, thus removing the need for the client to maintain 

>local host/realm mapping information. 

>

>DestHost ::= SEQUENCE { 

>DNSHostname [0] OCTET STRING, 

>-- authoritative DNS hostname 

>HostAddr [1] HostAddress OPTIONAL 

>-- as defined by RFC 1510 

>} 

>

>

>I think that it would be preferable for your implementation to use this

>mechanism. 

>

>--Matt 

>

>

>--------------------------------------------------------------- 

>Matt Hur CyberSafe 

>matt.hur@cybersafe.com 1605 NW Sammamish Road, Suite 310 

>(425) 391-6000 x154 voice Issaquah, WA 98027-5378 

>(425) 391-0508 fax http://www.cybersafe.com 

>

>

>

<italic><color><param>0000,0000,ffff</param>---------------------------------------------------------------

Matt Hur                      CyberSafe

matt.hur@cybersafe.com        1605 NW Sammamish Road, Suite 310

(425) 391-6000 x154 voice     Issaquah, WA 98027-5378

(425) 391-0508 fax            http://www.cybersafe.com

</color></italic>

</x-rich>
Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
To: IETF-Announce@ns.ietf.org
Cc: cat-ietf@mit.edu
From: Internet-Drafts@ns.ietf.org
Reply-To: Internet-Drafts@ns.ietf.org
Subject: I-D ACTION:draft-ietf-cat-kerberos-pk-recovery-00.txt
Date: Fri, 30 Jan 1998 09:41:02 -0500

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Common Authentication Technology Working Group 
of the IETF.

	Title		: Public Key Cryptography for KDC Recovery in Kerberos V5
	Author(s)	: J. Trostle
	Filename	: draft-ietf-cat-kerberos-pk-recovery-00.txt
	Pages		: 7
	Date		: 29-Jan-98
	
   This document defines extensions to the Kerberos protocol
   specification (RFC 1510, ''The Kerberos Network Authentication
   Service (V5)'', September 1993) to enable the recovery of a
   compromised Kerberos V5 KDC using public key cryptography.
   The document specifies the recovery protocol which uses
   preauthentication data fields and error data fields in Kerberos
   messages to transport recovery data.

Internet-Drafts are available by anonymous FTP.  Login with the username
"anonymous" and a password of your e-mail address.  After logging in,
type "cd internet-drafts" and then
	"get draft-ietf-cat-kerberos-pk-recovery-00.txt".
A URL for the Internet-Draft is:
ftp://ds.internic.net/internet-drafts/draft-ietf-cat-kerberos-pk-recovery-00.txt

Internet-Drafts directories are located at:

	Africa:	ftp.is.co.za
	
	Europe: ftp.nordu.net
		ftp.nis.garr.it
			
	Pacific Rim: munnari.oz.au
	
	US East Coast: ds.internic.net
	
	US West Coast: ftp.isi.edu

Internet-Drafts are also available by mail.

Send a message to:	mailserv@ds.internic.net.  In the body type:
	"FILE /internet-drafts/draft-ietf-cat-kerberos-pk-recovery-00.txt".
	
NOTE:	The mail server at ds.internic.net can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.
		
		
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

<ftp://ds.internic.net/internet-drafts/draft-ietf-cat-kerberos-pk-recovery-00.txt>
Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
To: IETF-Announce@ns.ietf.org
Cc: cat-ietf@MIT.EDU
From: Internet-Drafts@ns.ietf.org
Reply-To: Internet-Drafts@ns.ietf.org
Subject: I-D ACTION:draft-ietf-cat-rfc2078bis-02.txt
Date: Fri, 30 Jan 1998 09:51:23 -0500

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Common Authentication Technology Working Group of the IETF.

	Title		: Generic Security Service Application 
                          Program Interface Version 2, Update 1
	Author(s)	: J. Linn
	Filename	: draft-ietf-cat-rfc2078bis-02.txt
	Pages		: 94
	Date		: 29-Jan-98
  	
   The Generic Security Service Application Program Interface (GSS-API),
   Version 2, as defined in [RFC-2078], provides security services to
   callers in a generic fashion, supportable with a range of underlying
   mechanisms and technologies and hence allowing source-level
   portability of applications to different environments. This
   specification defines GSS-API services and primitives at a level
   independent of underlying mechanism and programming language
   environment, and is to be complemented by other, related
   specifications:
 
      documents defining specific parameter bindings for particular
      language environments
 
      documents defining token formats, protocols, and procedures to be
      implemented in order to realize GSS-API services atop particular
      security mechanisms
 
   This Internet-Draft revises [RFC-2078], making specific, incremental
   changes in response to implementation experience and liaison
   requests. It is intended, therefore, that this draft or a successor
   version thereto will become the basis for subsequent progression of
   the GSS-API specification on the standards track.

Internet-Drafts are available by anonymous FTP.  Login with the username
"anonymous" and a password of your e-mail address.  After logging in,
type "cd internet-drafts" and then
	"get draft-ietf-cat-rfc2078bis-02.txt".
A URL for the Internet-Draft is:
ftp://ds.internic.net/internet-drafts/draft-ietf-cat-rfc2078bis-02.txt

Internet-Drafts directories are located at:

	Africa:	ftp.is.co.za
	
	Europe: ftp.nordu.net
		ftp.nis.garr.it
			
	Pacific Rim: munnari.oz.au
	
	US East Coast: ds.internic.net
	
	US West Coast: ftp.isi.edu

Internet-Drafts are also available by mail.

Send a message to:	mailserv@ds.internic.net.  In the body type:
	"FILE /internet-drafts/draft-ietf-cat-rfc2078bis-02.txt".
	
NOTE:	The mail server at ds.internic.net can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.
		
		
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

<ftp://ds.internic.net/internet-drafts/draft-ietf-cat-rfc2078bis-02.txt>
Return-Path: <owner-cat-ietf@pad-thai.cam.ov.com>
From: "Linn, John" <jlinn@securitydynamics.com>
To: "Martin.Rex@sap-ag.de" <martin.rex@sap-ag.de>,
        "'John_Wray@iris.com'"
	 <John_Wray@iris.com>
Cc: "cat-ietf@MIT.EDU" <cat-ietf@mit.edu>
Subject: RE: GSS-API per msg prot negotiation
Date: Fri, 30 Jan 1998 15:53:19 -0500

John Wray wrote, excerpting: 

> Would the following restrictions do what you want:
> 
>     A) If a gssapi mechanism spec allows for optional support of
>        particular QOP values, then either:
> 
>        i) All implementations are required to be capable of
>           processing messages protected using any QOP value,
>           regardless of whether they can apply protection
>           corresponding to that QOP,
> 
>        or
> 
>        ii) The set of mutually-supported receiver QOP values
>            must be determined during context establishment,
>            and messages may be protected by either peer
>            using only QOP values from this mutually-supported
>            set.
> 
>        NOTE: (i) is just a special-case of (ii), where
>              implementations are required to support
>              all QOP values on receipt.
> 
This seems like a clarifying statement which would be useful to be able
to include within 2078bis, probably within the QOP section (1.2.4).  To
consider one mechanism, RFC-1964 would need some changes to align with
(i); of three QOP-selectable integrity algorithms, it states that one
may not be supported by all implementations and the section's text is
silent about support requirements for the other two.  What's the group
sentiment about including the statement and aligning mechanism specs
accordingly?

>     B) A failure of gss_getmic() or gss_wrap() due to an attempt
>        to use an unsupported QOP will not interfere with context
>        validity, nor shall such a failure impact the ability of the
>        application to subsequently invoke gss_getmic() or
>        gss_wrap() using a supported QOP; in particular, any
>        state information concerning sequencing of outgoing
>        messages shall be unchanged by an unsuccesful call
>        of gss_getmic() or gss_wrap().
> 
>        NOTE: should the last clause (after the semilcolon) be
>              true in general - shouldn't any failure of gss_getmic()
>              or gss_wrap() leave sequencing state alone?
> 
I think that discussion in this area would logically fall into 2078bis's
Sec. 1.2.8 (Implementation Robustness).  John's note seems right to me;
what's the group sentiment about including two separate statements: the
clause up to the semicolon, and a separate sentence beginning with the
words "any state information..."?

--jl