Re: [Curdle] AD Review of draft-ietf-curdle-gss-keyex-sha2-05

Benjamin Kaduk <kaduk@mit.edu> Tue, 10 April 2018 13:01 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A849812426E for <curdle@ietfa.amsl.com>; Tue, 10 Apr 2018 06:01:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NKmIYS0q-gHl for <curdle@ietfa.amsl.com>; Tue, 10 Apr 2018 06:01:21 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB0D71241F5 for <curdle@ietf.org>; Tue, 10 Apr 2018 06:01:21 -0700 (PDT)
X-AuditID: 1209190e-b87ff70000005600-33-5accb59fceff
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 6C.D6.22016.F95BCCA5; Tue, 10 Apr 2018 09:01:19 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w3AD1IxG002319; Tue, 10 Apr 2018 09:01:19 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w3AD1DCO027466 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 10 Apr 2018 09:01:15 -0400
Date: Tue, 10 Apr 2018 08:01:13 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: denis bider <denisbider.ietf@gmail.com>
Cc: Simo Sorce <simo@redhat.com>, Eric Rescorla <ekr@rtfm.com>, curdle <curdle@ietf.org>, draft-ietf-curdle-gss-keyex-sha2@tools.ietf.org
Message-ID: <20180410130112.GI89183@kduck.kaduk.org>
References: <CABcZeBNCUSpGihHz6bPBSALS4-34Tm7W36BCZ_Ev8OQz3KtVag@mail.gmail.com> <1523302318.10955.2.camel@redhat.com> <CADPMZDDrqhH4U9=omaB98j-2VQys_ybwG+Hy1L194GMqTJ04Zw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CADPMZDDrqhH4U9=omaB98j-2VQys_ybwG+Hy1L194GMqTJ04Zw@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupkleLIzCtJLcpLzFFi42IR4hTV1p2/9UyUQeN2G4utC2cxWxw/N5fZ Yuf7W0wWK16fY7f4MXcRqwOrx85Zd9k9liz5yeTxft9VNo/Jj9uYPb5c/swWwBrFZZOSmpNZ llqkb5fAlfHhwXy2ggNsFcf7N7M2MC5k7WLk5JAQMJFY/fAjexcjF4eQwGImia2zX7JAOBsZ JW53P2CEcK4ySax/8ZUdpIVFQFXiT+90MJtNQEWiofsyM4gtIqAtser/EWaQBmaB2YwSW2d0 ARVxcAgLuEl8+VwJUsMLtG7albVg9UIC+xkl2o/7QcQFJU7OfMICYjMLaEnc+PeSCaSVWUBa Yvk/DpAwp0CgxL3ZTWBXiwooS+ztO8Q+gVFgFpLuWUi6ZyF0L2BkXsUom5JbpZubmJlTnJqs W5ycmJeXWqRrrJebWaKXmlK6iREc4pJ8OxgnNXgfYhTgYFTi4bXYfzpKiDWxrLgy9xCjJAeT kijv7v4zUUJ8SfkplRmJxRnxRaU5qcWHGCU4mJVEeHPWAuV4UxIrq1KL8mFS0hwsSuK8i/bv jRISSE8sSc1OTS1ILYLJynBwKEnwft4C1ChYlJqeWpGWmVOCkGbi4AQZzgM0/B1IDW9xQWJu cWY6RP4Uo6KUOO9tkIQASCKjNA+uF5SCJLL317xiFAd6RZiXA6SKB5i+4LpfAQ1mAhp8zAds cEkiQkqqgfGSYEVO6ESp479WBzyquvVTXv6jScMvJi7nf/WGmZJv0lttQiVWcRx4w7Y2Ussg 9eGXmT+T698u/7dzuh27Yl0e61+fTSsV952XYTgkfvOCkJ7MhNkznl8UuDTJ3O+DBesmGdfa GrmZB/8YnF6XxZ5itfJZUMQHLat/X5mkGXedn/U3fn7Iy+VKLMUZiYZazEXFiQBTb47yHAMA AA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/TjDFZmPwn2cdH5oMJpArYHkiLlY>
Subject: Re: [Curdle] AD Review of draft-ietf-curdle-gss-keyex-sha2-05
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 13:01:25 -0000

On Tue, Apr 10, 2018 at 03:02:35AM -0500, denis bider wrote:
> > Krb5 which is de facto the only used GSSAPI mechanism for
> > SHH GSS Key exchanges.
> 
> Just a side note: "de facto" are key words there. In practice Kerberos is
> the most widely supported GSSAPI mechanism used in SSH. However, GSSAPI key
> exchange works equally well with other mechanisms. For example, I believe
> we've had someone (either on this list, or on the mostly-zombie SSH list)
> mention that they use GSSAPI with X.509 (possibly?) as well as other
> mechanisms.

I had almost replied with a similar note, so thanks -- this prompted
me to actually find a link for the "GSI" mechanism I remember
hearing about:

http://toolkit.globus.org/toolkit/docs/latest-stable/gsic/
and as used in ssh:
http://grid.ncsa.illinois.edu/ssh/

-Ben