Re: [Gen-art] Gen-ART Review of draft-ietf-kitten-pkinit-freshness-07

Michiko Short <michikos@microsoft.com> Thu, 01 December 2016 17:33 UTC

Return-Path: <michikos@microsoft.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8FA9129667; Thu, 1 Dec 2016 09:33:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnJg0EQRvLQS; Thu, 1 Dec 2016 09:33:06 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0115.outbound.protection.outlook.com [104.47.36.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75182129566; Thu, 1 Dec 2016 09:33:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=4ZrrkNiql1Y/fbRpAXcHJOejHGKKx2eJUOar36DvQFw=; b=aoHKAbrrcxz9PTDUTfRcXcziZvq1N2xqN4DOoXmwtF1kMI7hatc5PLc9R1G1i/o8yYuQ4M1EAiVTrmEMTqLHe0ANYcUOznbcHKLpJOnjive78nHYD+TbP7CKSyRVSDT+UjOd3AldD9k7n0vmdPVGhvde8K4NaG8eaprqYFfH70I=
Received: from CY1PR03MB2315.namprd03.prod.outlook.com (10.166.207.138) by CY1PR03MB1471.namprd03.prod.outlook.com (10.163.17.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.747.13; Thu, 1 Dec 2016 17:33:04 +0000
Received: from CY1PR03MB2315.namprd03.prod.outlook.com ([10.166.207.138]) by CY1PR03MB2315.namprd03.prod.outlook.com ([10.166.207.138]) with mapi id 15.01.0734.020; Thu, 1 Dec 2016 17:33:04 +0000
From: Michiko Short <michikos@microsoft.com>
To: Jari Arkko <jari.arkko@piuha.net>, Benjamin Kaduk <kaduk@MIT.EDU>
Thread-Topic: [Gen-art] Gen-ART Review of draft-ietf-kitten-pkinit-freshness-07
Thread-Index: AQHSSOilm69tVN+pU06lGGXZjXK2bKDunlrAgABTkICAA3oNAIAAbVOAgACGrZA=
Date: Thu, 1 Dec 2016 17:33:04 +0000
Message-ID: <CY1PR03MB2315CDB12CB1D097815FAD33D08F0@CY1PR03MB2315.namprd03.prod.outlook.com>
References: <EE7359A5-ACD3-4CD1-B1B0-E01579203FFE@gmail.com> <0AD0BB5E-1539-4C38-99A4-B40AD4E9D9A1@vigilsec.com> <CY1PR03MB23155A8C6BEE7C1E24F5DCF1D08A0@CY1PR03MB2315.namprd03.prod.outlook.com> <BLUPR03MB145845F42132DFA15862A79FCD8A0@BLUPR03MB1458.namprd03.prod.outlook.com> <20161201025912.GQ8460@kduck.kaduk.org> <484BE147-BB9C-4302-9CA1-1BF23B1AE04C@piuha.net>
In-Reply-To: <484BE147-BB9C-4302-9CA1-1BF23B1AE04C@piuha.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=michikos@microsoft.com;
x-originating-ip: [2001:4898:80e8:d::3a6]
x-ms-office365-filtering-correlation-id: 32e4a66c-9709-46df-3e57-08d41a101b5c
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CY1PR03MB1471;
x-microsoft-exchange-diagnostics: 1; CY1PR03MB1471; 7:A5gR9gpK9ADh8Y/Ux5qzKM/KbZiNortD3pygBr0A96ZhPmJ2tPERBJ8ckOnPaoX8N1zCpvFNHllsIG5iqq8WAdVwNOk/OIatQUzJhBcmV06NO7XIr5+izJkp6ouiE1CJemCutO6fwskfJG7UfHVLZ9Z5PgAETkGc4jErUMemdwA/WFomFTrGPEmLBo3mv68Y2HYzV/52c+vGCG5ci7C9kx2NXW4OsirHxf5kQN/lG09cS0LYuYYRO2JAE7yFkogRbvHKxWbeGJt1YaU2v5XN1t5bVao76HmJoAQD2dTOS9f9e4kOnfTTA+Kq70SxOIz9afAJOVR0Owaykq51Uz2cyPA6BFT7zIKl+Lgia6Eroit98kRYBLYwHpzFYx9pvSfNRpWFOzX8bxTBG99P8xob4KoNkIES1Es0WJPDvIj3jTcKUJj0tWoUyZzlHJ/lW3t0IS9xMhrJi2D/skkttnPeAXL93c0BRiSyDlVt2izj3/k=
x-microsoft-antispam-prvs: <CY1PR03MB1471609AF58C78471B1AF317D08F0@CY1PR03MB1471.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123564025)(20161123555025)(20161123560025)(6047074)(6072148); SRVR:CY1PR03MB1471; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB1471;
x-forefront-prvs: 014304E855
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(189002)(199003)(66654002)(377454003)(13464003)(39410400001)(106356001)(76176999)(9686002)(106116001)(5660300001)(50986999)(54356999)(229853002)(76576001)(68736007)(2950100002)(2900100001)(189998001)(105586002)(38730400001)(101416001)(5005710100001)(10290500002)(8676002)(7696004)(99286002)(5001770100001)(8936002)(81166006)(81156014)(2171001)(33656002)(122556002)(6506003)(2906002)(7736002)(77096006)(10090500001)(305945005)(39450400002)(4326007)(102836003)(6116002)(7846002)(92566002)(93886004)(86612001)(86362001)(230783001)(74316002)(3660700001)(3280700002)(97736004)(8990500004); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR03MB1471; H:CY1PR03MB2315.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2016 17:33:04.6010 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB1471
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/IGR_sDTl5HSP8WEF21NOvVx2QoA>
Cc: "Paul Miller \(NT\)" <paumil@microsoft.com>, IETF Gen-ART <gen-art@ietf.org>, "draft-ietf-kitten-pkinit-freshness.all@ietf.org" <draft-ietf-kitten-pkinit-freshness.all@ietf.org>
Subject: Re: [Gen-art] Gen-ART Review of draft-ietf-kitten-pkinit-freshness-07
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2016 17:33:09 -0000

Ok, since answer not obvious starting thread on Kitten. 

-----Original Message-----
From: Jari Arkko [mailto:jari.arkko@piuha.net] 
Sent: Thursday, December 1, 2016 1:30 AM
To: Benjamin Kaduk <kaduk@MIT.EDU>;
Cc: Paul Miller (NT) <paumil@microsoft.com>;; Michiko Short <michikos@microsoft.com>;; IETF Gen-ART <gen-art@ietf.org>;; draft-ietf-kitten-pkinit-freshness.all@ietf.org
Subject: Re: [Gen-art] Gen-ART Review of draft-ietf-kitten-pkinit-freshness-07

Many thanks for your review, Russ, and for thinking about this space and what issues there might be.

I too am concerned about the issue that Russ Housley raised: bad practices in creating the freshness tokens creates a security issue. If this cannot be handled in the way that Russ initially suggested (setting a minimum number of bits) then a proper discussion of the issue and recommendations to avoid the problems need to be included in the security considerations section.

I fully recognise the point from the authors that different styles of creating the tokens result in different implications, and that setting a mere minimum number of bits may not be appropriate.

Jari