[Curdle] new-AD review comments on draft-ietf-curdle-gss-keyex-sha2-08
Benjamin Kaduk <kaduk@mit.edu> Wed, 08 May 2019 15:06 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1DAC1202C9; Wed, 8 May 2019 08:06:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M_fal3TTAnAC; Wed, 8 May 2019 08:06:20 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D20D5120257; Wed, 8 May 2019 08:06:08 -0700 (PDT)
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x48F64a8010471 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 8 May 2019 11:06:06 -0400
Date: Wed, 08 May 2019 10:06:04 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: draft-ietf-curdle-gss-keyex-sha2@ietf.org
Cc: curdle@ietf.org
Message-ID: <20190508150604.GB30884@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/jTJakXWCo8uIM0r3LlJO5YH2Sl4>
Subject: [Curdle] new-AD review comments on draft-ietf-curdle-gss-keyex-sha2-08
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 15:06:33 -0000
Hi all, I'm almost ready to send draft-ietf-curdle-gss-keyex-sha2 to the IESG for evaluation, but would like to see a new revision posted first, mostly for the Abstract changes. In addition to the changes mentioned below, please also go ahead and make the editorial changes mentioned in the last call/directorate reviews. -Ben Abstract This document specifies additions and amendments to RFC4462. It defines a new key exchange method that uses SHA-2 for integrity and deprecates weak DH groups. The purpose of this specification is to I think we need to remove this statement about "deprecates weak DH groups"; I didn't see any further discussion of such deprecations in any revision of the document. Section 2 Following the rationale of [RFC8268] only SHA-256 and SHA-512 hashes are used for DH groups. For NIST curves the same curve-to-hashing algorithm pairing used in [RFC5656] is adopted for consistency. 8268 doesn't provide a whole lot of rationale for using SHA-256, rather, the closest thing to guidance would be in Section 1 where it cites the NSA IAD FAQ that wants to *avoid* using SHA-256. So perhaps it's better to say that this just follows the practice of 8268, rather than the rationale from it, especially since we are just using a "consistency" argument for the NIST curves' hashes. Section 3 RFC 8174 has an updated boilerplate text to use for the BCP 14 keywords. Section 4 The method name for each method is the concatenation of the family method name with the Base64 encoding of the MD5 hash [RFC1321] of the ASN.1 DER encoding [ISO-IEC-8825-1] of the underlying GSS-API mechanism's OID. [...] nit: I'd suggest using the "family name prefix" to match the table, rather than "family method name". Section 5 In [RFC5656] new SSH key exchange algorithms based on Elliptic Curve Cryptography are introduced. We reuse much of section 4 to define GSS-API-authenticated ECDH Key Exchanges. nit: I think this is intended to refer to Section 4 of RFC 5656, but the current text reads like we are referring to Section 4 of the current document. Section 5.1 For NIST Curves keys use uncompressed point representation and must nit: "the" be converted using the algorithm in Section 2.3.4 of [SEC1v2]. If the conversion fails or the point is trasmitted using compressed nit: "the" representation, the key exchange MUST fail. A GSS Context is established according to Section 4 of [RFC5656]; The client initiates the establishment using GSS_Init_sec_context() and the server completes it using GSS_Accept_sec_context(). For the I'm not sure what this reference was intended to be; the current one doesn't really seem right, though. Also, in a fully general GSS negotiation loop, the server does not necessarily make the last step, so "completes" may be slightly misleading. This key exchange process will exchange only a single token once the context has been established, therefore the replay_det_req_flag and sequence_req_flag SHOULD be set to "false". nit: "single message token", since we are not making a statement about context establishment tokens, and the previous text was about the context establishment process which might cause the reader to jump towards context tokens here. For curve25519 and curve448 the algorithm in Section 6 of [RFC7748] is used instead. nits: "algorithms", "are" (since there are different procedures in subsections 6.1 and 6.2 for the two curves). Section 6 It's not clear to me why the "Implementation Support" column is here -- it duplicates content from tables elsewhere in the document, and does not seem to be part of the registration template. Section 7.3 Some GSSAPI mechanisms can optionally delegate credentials to the target host by setting the deleg_ret_flag. In this case extra care must be taken to ensure that the acceptor being authenticated matches the target the user intended. [...] This is a bit weird to read, since the setting of the deleg_ret_flag is not what effectuates the delegation of credentials; that happens by virtue of the exchange of context tokens. (Also, RFC 2743 only lists a deleg_req_flag; the acceptor-side state is passed in the deleg_state boolean.) A simple replacement with deleg_req_flag doesn't work, either, as that's not something the mechanism does, but rather the GSSAPI consumer. So I think we may need a broader change, like: % Some GSSAPI mechanisms can act on a request to delegate credentials to % the target host when the deleg_req_flag is set. In this case, extra care % must be taken to ensure that the acceptor being authenticated matches the % target the user intended. [...] (And yes, I know that I'm basically responsible for this text being present; it may well have been my error originally.)
- [Curdle] new-AD review comments on draft-ietf-cur… Benjamin Kaduk
- Re: [Curdle] new-AD review comments on draft-ietf… Mark D. Baushke
- Re: [Curdle] new-AD review comments on draft-ietf… Benjamin Kaduk
- Re: [Curdle] new-AD review comments on draft-ietf… Hubert Kario
- Re: [Curdle] new-AD review comments on draft-ietf… Simo Sorce
- Re: [Curdle] new-AD review comments on draft-ietf… Benjamin Kaduk
- Re: [Curdle] new-AD review comments on draft-ietf… Benjamin Kaduk