IETF Logo Mail Archive

Re: [Gen-art] Gen-ART Review of draft-ietf-kitten-pkinit-freshness-07

Benjamin Kaduk <kaduk@mit.edu> Thu, 01 December 2016 02:59 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB801294B2; Wed, 30 Nov 2016 18:59:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HT2vP9D51cj4; Wed, 30 Nov 2016 18:59:18 -0800 (PST)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08D50126579; Wed, 30 Nov 2016 18:59:17 -0800 (PST)
X-AuditID: 12074423-18fff7000000365f-ab-583f9204b388
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 87.6F.13919.4029F385; Wed, 30 Nov 2016 21:59:17 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id uB12xFnW006393; Wed, 30 Nov 2016 21:59:16 -0500
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id uB12xCa5028167 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 30 Nov 2016 21:59:14 -0500
Date: Wed, 30 Nov 2016 20:59:12 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Paul Miller (NT)" <paumil@microsoft.com>
Message-ID: <20161201025912.GQ8460@kduck.kaduk.org>
References: <EE7359A5-ACD3-4CD1-B1B0-E01579203FFE@gmail.com> <0AD0BB5E-1539-4C38-99A4-B40AD4E9D9A1@vigilsec.com> <CY1PR03MB23155A8C6BEE7C1E24F5DCF1D08A0@CY1PR03MB2315.namprd03.prod.outlook.com> <BLUPR03MB145845F42132DFA15862A79FCD8A0@BLUPR03MB1458.namprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BLUPR03MB145845F42132DFA15862A79FCD8A0@BLUPR03MB1458.namprd03.prod.outlook.com>
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupmleLIzCtJLcpLzFFi42IR4hRV1mWdZB9hMO8Xq8WXn5/ZLa6++sxi 8erFTXaLf918Fp+WbWZ2YPVYsuQnk0frjr/sHqvufGENYI7isklJzcksSy3St0vgyri+/zRL QQtbxZrvC5gaGD+xdDFyckgImEi0PwCxuTiEBNqYJH70fmOEcDYySrw684sZwrnKJHH38iRW kBYWAVWJk/3vGEFsNgEViYbuy8wgtoiArsSuF/1go5gFPjBK3Jn7C8jh4BAWcJH4e1cepIZX wFjiQscfJoihM5gkXv3aywyREJQ4OfMJ2E3MAloSN/69ZALpZRaQllj+jwMkzCkQK9F5+R47 iC0qoCzRMOMB8wRGgVlIumch6Z6F0L2AkXkVo2xKbpVubmJmTnFqsm5xcmJeXmqRrplebmaJ XmpK6SZGUDizuyjvYHzZ532IUYCDUYmHd8dduwgh1sSy4srcQ4ySHExKorxlJfYRQnxJ+SmV GYnFGfFFpTmpxYcYJTiYlUR46ycA5XhTEiurUovyYVLSHCxK4rz/3b6GCwmkJ5akZqemFqQW wWRlODiUJHj/gjQKFqWmp1akZeaUIKSZODhBhvMADe8CG15ckJhbnJkOkT/FqMvxbvO7B0xC LHn5ealS4rxNIEUCIEUZpXlwc0BpSCJ7f80rRnGgt4R5D4JU8QBTGNykV0BLmICWvH1tDbKk JBEhJdXAmLf+kHr9mhX9CcwSWen+i6wm3zocM8W0d7lEU06TSPfaGXtu55ZkFMvu5RTpn/31 8s1p4tMsqjpaoydxzn76ViDkQGvVWtWvk5+dU228eWCfjEx3rfu39Zc9ate5RCgWhVmc6m/z jvqSPVXlxM1wvpQb4bcvK7xl5BT4+WSLp4vr3ytHa/vWKrEUZyQaajEXFScCAJLpZV4eAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/v_qqCeImd_PPk8fyD55XGs8djlw>
Cc: Michiko Short <michikos@microsoft.com>, IETF Gen-ART <gen-art@ietf.org>, "draft-ietf-kitten-pkinit-freshness.all@ietf.org" <draft-ietf-kitten-pkinit-freshness.all@ietf.org>
Subject: Re: [Gen-art] Gen-ART Review of draft-ietf-kitten-pkinit-freshness-07
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2016 02:59:19 -0000

On Mon, Nov 28, 2016 at 09:53:35PM +0000, Paul Miller (NT) wrote:
> Minimum length is a problematic topic due to the fact that we intentionally did not specify the format of the freshness token.  Since the structure of the freshness token is left up to the KDC, there is no good way to determine a minimum size.  If the freshness token is a nonce then the size is determined by the birthday problem.  If it is based on symmetric cryptography, then there are different length considerations.  If it is based on asymmetric crypto then there is a third set of size considerations.

We could still mention in the security considerations that depending on the
construction of the token, the token should have some minimum size; essentially,
your text from above.

-Ben

v2.23.0 | Report a Bug | By Email