IETF Logo Mail Archive

Re: [Curdle] I-D Action: draft-ietf-curdle-des-des-des-die-die-die-02.txt

Michiko Short <michikos@microsoft.com> Tue, 06 June 2017 16:13 UTC

Return-Path: <michikos@microsoft.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5867126C83; Tue, 6 Jun 2017 09:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6SQYRf0Sbav9; Tue, 6 Jun 2017 09:13:18 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0112.outbound.protection.outlook.com [104.47.42.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67569129496; Tue, 6 Jun 2017 09:13:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6EVK07/Y1yfudLP+3aoq8JMXsASJ9pwAxIf+AqOQI8k=; b=UIxu17VxvEVMrH2Im5Bxqb9+EvhBcMEyG+s9tQhuRdn0FfuQOn6gIUBmVdX2Ru12wdbb1C43u8tukhIdNPsv2PqbYIguWVptujZEcgFgAK4f+A8siIDg0Z34Ttw6aLyekPaqituRvVF8ox6s6ALe4XvgLCtYL5NNPRTLv6mMZFk=
Received: from BLUPR0301MB1554.namprd03.prod.outlook.com (10.162.214.12) by BLUPR0301MB1553.namprd03.prod.outlook.com (10.162.214.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1157.12; Tue, 6 Jun 2017 16:13:16 +0000
Received: from BLUPR0301MB1554.namprd03.prod.outlook.com ([10.162.214.12]) by BLUPR0301MB1554.namprd03.prod.outlook.com ([10.162.214.12]) with mapi id 15.01.1143.019; Tue, 6 Jun 2017 16:13:16 +0000
From: Michiko Short <michikos@microsoft.com>
To: Daniel Migault <daniel.migault@ericsson.com>, "draft-ietf-curdle-des-des-des-die-die-die@ietf.org" <draft-ietf-curdle-des-des-des-die-die-die@ietf.org>
CC: "curdle-chairs@ietf.org" <curdle-chairs@ietf.org>, "curdle@ietf.org" <curdle@ietf.org>
Thread-Topic: [Curdle] I-D Action: draft-ietf-curdle-des-des-des-die-die-die-02.txt
Thread-Index: AQHS3aaCHJbgDFl8wUGQWusYjzQpD6IV1O6AgABoXZCAAcOiIA==
Date: Tue, 06 Jun 2017 16:13:16 +0000
Message-ID: <BLUPR0301MB1554ACF7517C6B79E82A92B9D0CB0@BLUPR0301MB1554.namprd03.prod.outlook.com>
References: <149663099768.3234.6289962833790815289@ietfa.amsl.com> <20170605025111.GW39245@kduck.kaduk.org> <2DD56D786E600F45AC6BDE7DA4E8A8C118C72387@eusaamb107.ericsson.se>
In-Reply-To: <2DD56D786E600F45AC6BDE7DA4E8A8C118C72387@eusaamb107.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ericsson.com; dkim=none (message not signed) header.d=none; ericsson.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:8::681]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BLUPR0301MB1553; 7:wLyIOj3TjyUqQWElOLzu/XRAQgtYbq5Tr32Bl9dgWYTwxAueZyrZQ3Sqen+Mubvh8adjlF7iuD+XtxeMkhMyxbkgCGLuBke5rFgQoTmA/3u/9IA2AMZU3pdlIYlPyIA3vlTsAwjtu+fAR32fo/1GVthdm2GybB8TKE3808IHu+cFpBoL59USfKfALRrIezXhUwg26LczszscDNZP7uD00oBsIIrU4PMbUOTz3RsgkSMIUwzx3BPuaQxb3l2C1V4cwOSbdj0O+E6MBUNkf/Wi8mMP34kiYk7FCmRnqFhYGjzEPQ7FiMFkb4dZhdnkbeIVcjDRWTAmYT/uU/PXVW25//iXfKbCiHvPBy+usMXxT/Q=
x-ms-traffictypediagnostic: BLUPR0301MB1553:
x-ms-office365-filtering-correlation-id: f7c04439-f3be-4548-0ca9-08d4acf6f082
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:BLUPR0301MB1553;
x-microsoft-antispam-prvs: <BLUPR0301MB155398D3FD8FFB317D6651FDD0CB0@BLUPR0301MB1553.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(158342451672863)(189930954265078)(219752817060721);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(100000703101)(100105400095)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123560025)(20161123564025)(20161123555025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BLUPR0301MB1553; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BLUPR0301MB1553;
x-forefront-prvs: 033054F29A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39410400002)(39450400003)(39400400002)(39860400002)(39840400002)(39850400002)(377424004)(377454003)(13464003)(24454002)(3905003)(33656002)(2950100002)(53546009)(50986999)(54356999)(76176999)(6506006)(575784001)(86612001)(3280700002)(3660700001)(7696004)(77096006)(25786009)(189998001)(6436002)(86362001)(8936002)(81166006)(74316002)(7736002)(305945005)(8676002)(9686003)(6306002)(122556002)(478600001)(10290500003)(14454004)(230783001)(5660300001)(966005)(55016002)(53936002)(99286003)(54906002)(6246003)(6116002)(102836003)(10090500001)(8990500004)(4326008)(5005710100001)(38730400002)(229853002)(2900100001)(2906002)(2501003); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR0301MB1553; H:BLUPR0301MB1554.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jun 2017 16:13:16.1507 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR0301MB1553
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/Ym5v9_Fu5-xl4ieCWjxmDutr3ZI>
Subject: Re: [Curdle] I-D Action: draft-ietf-curdle-des-des-des-die-die-die-02.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jun 2017 16:13:22 -0000

Also why do we only call out Windows. Perhaps the better option is to list all which of our versions support AES? For example:

Windows has supported AES since 2007 with the release of Windows Vista & 2008 with the release of Windows Server 2008, therefore numbers of Windows which required RC4 should be low. MIT has... Heimdal has..

-----Original Message-----
From: Daniel Migault [mailto:daniel.migault@ericsson.com] 
Sent: Monday, June 5, 2017 2:50 PM
To: draft-ietf-curdle-des-des-des-die-die-die@ietf.org
Cc: curdle-chairs@ietf.org; curdle@ietf.org
Subject: RE: [Curdle] I-D Action: draft-ietf-curdle-des-des-des-die-die-die-02.txt

Hi, 

Thanks for updating the draft. I have found some small nits, but overall the draft seems ready to me to be sent to the IESG. I have prepared the shepherd write-up [1]. I believe 03 will be sent it to the IESG. 

If anyone has additional comments, please let us know as soon as possible.

Yours,
Daniel

[1] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-curdle-des-des-des-die-die-die%2Fshepherdwriteup%2F&data=02%7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636322962250114126&sdata=kjynmx5IEKqTpLmmzE5AftZdS4PxJ12uSKn%2B%2F3Ay7b8%3D&reserved=0

COMMENT A)
"""
 However, both Windows XP and Windows Server 2003 are already out of
   their official support periods.  It is now believed that all machines
   that might be broken by disabling RC4 are unsupported, and concerns
   about breaking them will be reduced.  That should facilitate the
   removal of RC4 from common use.
"""

Maybe that is my English and I might misinterpret the text, but it do not find appropriated to mention we are not concerned by breaking some systems. I also feel that the text can be interpreted as a commercial argument to "buy the new release". Maybe it might be more appropriated to say that as unsupported, their numbers is expected to be quite low, then that such machines are unlikely to operate on managed networks where Kerberos is deployed.  If that is the case, it is the responsibility of the network administrator to address appropriately this issue. But I am fine with the conclusion: That should facilitate the removal of RC4 from common use.


COMMENT B)
Maybe some references could be provided for the cited Kerberos implementations.  

MIT Kerberos; https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fweb.mit.edu%2Fkerberos%2F&data=02%7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636322962250114126&sdata=uXgb5iakspN%2FI%2Bj9yqfrkKbcXbKHkaRwM5oDWJU7PuU%3D&reserved=0
Heimdal Kerberos: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.h5l.org%2F&data=02%7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636322962250124134&sdata=zCRCdJ24R93jirCIwfNT2ifgPG28%2FQlfoHjIQfKreBs%3D&reserved=0

COMMENT C) 

The URL does not appear in the references. 
[MS-NLMP]  Microsoft Corporation, "[MS-NLMP]: NT LAN Manager (NTLM)
              Authentication Protocol", May 2014.
[IANA-KRB]
              Internet Assigned Numbers Authority, "IANA Kerberos
              Parameters Registry", March 2017.

I suppose this is an issue in the xml, and maybe the following syntax could solve this issue:

OLD: 
<reference anchor="MS-NLMP">
    <front>
        <title abbrev="NTLM Authentication Protocol">[MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol</title>
        <author>
            <organization>Microsoft Corporation</organization>
        </author>
		<date year="2014" month="May"/>
    </front>
    <format type="HTML" target="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fcc236621.aspx&data=02%7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636322962250124134&sdata=QiK%2FpC9fJXh5fQEt2IjugLsuTPkd6%2Bv4qEymkUOHPVs%3D&reserved=0"/>
</reference>

<reference anchor="IANA-KRB">
    <front>
	    <title>IANA Kerberos Parameters Registry</title>
		<author>
		    <organization>Internet Assigned Numbers Authority</organization>
			</author><date year="2017" month="March"/>
	</front>
	<format type="HTML" target="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fkerberos-parameters%2Fkerberos-parameters.xhtml&data=02%7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636322962250124134&sdata=vGEHkoMc%2F00ptdCgXR2A0kPN90aFKcyo%2Bzlb86IcgRQ%3D&reserved=0"/>
	</reference>
NEW:
<reference anchor="MS-NLMP" target="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fcc236621.aspx&data=02%7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636322962250124134&sdata=QiK%2FpC9fJXh5fQEt2IjugLsuTPkd6%2Bv4qEymkUOHPVs%3D&reserved=0">
    <front>
        <title abbrev="NTLM Authentication Protocol">[MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol</title>
        <author>
            <organization>Microsoft Corporation</organization>
        </author>
		<date year="2014" month="May"/>
    </front>
</reference>

<reference anchor="IANA-KRB" target="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fkerberos-parameters%2Fkerberos-parameters.xhtml&data=02%7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636322962250124134&sdata=vGEHkoMc%2F00ptdCgXR2A0kPN90aFKcyo%2Bzlb86IcgRQ%3D&reserved=0">
    <front>
	    <title>IANA Kerberos Parameters Registry</title>
		<author>
		    <organization>Internet Assigned Numbers Authority</organization>
			</author><date year="2017" month="March"/>
	</front>
</reference>	

COMMENT D) 

The RFC6150 is informational and is listed in the normative section. I believe it should be in the informational reference section. 

[RFC6150]  Turner, S. and L. Chen, "MD4 to Historic Status",
              RFC 6150, DOI 10.17487/RFC6150, March 2011,
              <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rfc-editor.org%2Finfo%2Frfc6150&data=02%7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636322962250124134&sdata=%2BhSjbFbDOKRbzJxM3QiDDGtqnPV6BPfxPdysNFvW9pQ%3D&reserved=0>.

COMMENT E) 

s/Similarly, IANA Is requested/ Similarly, IANA is requested


-----Original Message-----
From: Curdle [mailto:curdle-bounces@ietf.org] On Behalf Of Benjamin Kaduk
Sent: Sunday, June 04, 2017 10:51 PM
To: curdle@ietf.org
Subject: Re: [Curdle] I-D Action: draft-ietf-curdle-des-des-des-die-die-die-02.txt

This just updates the reference for the IANA registries to have the actual URL for the registry on the web, instead of referencing the RFC that created the registries.

-Ben

On Sun, Jun 04, 2017 at 07:49:57PM -0700, internet-drafts@ietf.org wrote:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the CURves, Deprecating and a Little more Encryption of the IETF.
> 
>         Title           : Deprecate 3DES and RC4 in Kerberos
>         Authors         : Benjamin Kaduk
>                           Michiko Short
> 	Filename        : draft-ietf-curdle-des-des-des-die-die-die-02.txt
> 	Pages           : 9
> 	Date            : 2017-06-04
> 
> Abstract:
>    The 3DES and RC4 encryption types are steadily weakening in
>    cryptographic strength, and the deprecation process should be begun
>    for their use in Kerberos.  Accordingly, RFC 4757 is moved to
>    Obsolete status, as none of the encryption types it specifies should
>    be used, and RFC 3961 is updated to note the deprecation of the
>    triple-DES encryption types.
> 
> 
> The IETF datatracker status page for this draft is:
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatat
> racker.ietf.org%2Fdoc%2Fdraft-ietf-curdle-des-des-des-die-die&data=02%
> 7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7C7
> 2f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636322962250124134&sdata=W9D
> 1cNitX3lTbDk82Viu4VSSxX%2FlZxH9RCk%2BUS56jM8%3D&reserved=0
> -die/
> 
> There are also htmlized versions available at:
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools
> .ietf.org%2Fhtml%2Fdraft-ietf-curdle-des-des-des-die-die-die-&data=02%
> 7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7C7
> 2f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636322962250124134&sdata=gJQ
> NwHRax8r5cRudXHHHRFK9aS0hLSfD6HNf6vBkwFg%3D&reserved=0
> 02
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatat
> racker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-curdle-des-des-des-die-die-d
> ie-02&data=02%7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608
> d4ac5cddff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63632296225012
> 4134&sdata=wcJm7JdAsBBznGfPi3c5WRJ1Jgt5jdBQIDhC5EkM4Gk%3D&reserved=0
> 
> A diff from the previous version is available at:
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.i
> etf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-curdle-des-des-des-die-di&data=0
> 2%7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7
> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636322962250124134&sdata=E
> hrVb769fbxn41qg7kVeBZIMk2jycmQRFJ26yil%2BO1c%3D&reserved=0
> e-die-02
> 
> 
> Please note that it may take a couple of minutes from the time of 
> submission until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.i
> etf.org%2Fmailman%2Flistinfo%2Fcurdle&data=02%7C01%7Cmichikos%40micros
> oft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7C72f988bf86f141af91ab2d7cd
> 011db47%7C1%7C0%7C636322962250124134&sdata=DcfGyzuZ89ur3shrhsefQ6N0fIM
> %2Fw%2BiVBvl%2FC0CD3%2FQ%3D&reserved=0

_______________________________________________
Curdle mailing list
Curdle@ietf.org
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcurdle&data=02%7C01%7Cmichikos%40microsoft.com%7Cbcc759a2ac824a5e026608d4ac5cddff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636322962250134142&sdata=0K2JfDATGftlKs81oowUfCPupD%2B8YavdBrxhxTblpCc%3D&reserved=0

v2.23.0 | Report a Bug | By Email