Re: [dhcwg] Comments on draft-ietf-dhc-pktc-kerb-tckt-00.txt

Sam Hartman <hartmans@mit.edu> Sun, 09 March 2003 14:16 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA21605; Sun, 9 Mar 2003 09:16:46 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h29ESxO15535; Sun, 9 Mar 2003 09:28:59 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h28KtrO03240 for <dhcwg@optimus.ietf.org>; Sat, 8 Mar 2003 15:55:53 -0500
Received: from konishi-polis.mit.edu (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA04478 for <dhcwg@ietf.org>; Sat, 8 Mar 2003 15:43:13 -0500 (EST)
Received: by konishi-polis.mit.edu (Postfix, from userid 8042) id 9F037151F11; Sat, 8 Mar 2003 15:45:19 -0500 (EST)
To: Paul Duffy <paduffy@cisco.com>
Cc: dhcwg@ietf.org, Ken Raeburn <raeburn@mit.edu>
Subject: Re: [dhcwg] Comments on draft-ietf-dhc-pktc-kerb-tckt-00.txt
References: <4.3.2.7.2.20030226170700.023e6bd8@funnel.cisco.com>
From: Sam Hartman <hartmans@mit.edu>
Date: Sat, 08 Mar 2003 15:45:19 -0500
In-Reply-To: <4.3.2.7.2.20030226170700.023e6bd8@funnel.cisco.com> (Paul Duffy's message of "Wed, 26 Feb 2003 17:17:13 -0500")
Message-ID: <tsl8yvp8u5c.fsf@konishi-polis.mit.edu>
User-Agent: Gnus/5.090008 (Oort Gnus v0.08) Emacs/21.2 (i386-debian-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

>>>>> "Paul" == Paul Duffy <paduffy@cisco.com> writes:

    Paul> I sense that your main objection to this draft is that it
    Paul> implies that PacketCable Security is not 100% RFC 1510
    Paul> compliant.  Will one or two lines clarifying this, along
    Paul> with a ref to the PacketCable Security spec, suffice?

That's my only objection to the existence of the draft yes.  AS you
point out the IESG has already decided they disagree with me, so this
objection should be ignored.

    Paul> Something along the line of...

    Paul> "Note that the PacketCable Security Specification differs
    Paul> from RFC 1510, see [ref] for full technical details of
    Paul> PacketCable's Kerberos implementation".

Looks good.


    Paul> Agreed.  Service authorization is a bogus/incorrect
    Paul> argument. The text...

    Paul> "The service provider requires this capability to support
    Paul> operational functions such as disabling a subscriber's
    Paul> service, forcing re- establishment of security associations,
    Paul> or for testing and remote diagnostic of CCDs. "

    Paul> ...needs to be changed to something like...

    Paul> "The service provider requires this capability to support
    Paul> operational functions such as forcing re-establishment of
    Paul> security associations or for testing and remote diagnostic
    Paul> of CCDs. "

Sounds reasonable.


    Paul> I share Kens concerns re: forcing all tickets to expire.
    Paul> Public key ops are expensive and we try to avoid them when
    Paul> possible (for scaling reasons, avalanche restart conditions,
    Paul> etc.).

But you should only need a PKI op for the TGT not for each service
ticket.

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg