Re: [kitten] Any Interest in a Key Delivery Service?
Ken Hornstein <kenh@pobox.com> Wed, 13 September 2017 01:30 UTC
Return-Path: <kenh@pobox.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 777A8132EBF for <kitten@ietfa.amsl.com>; Tue, 12 Sep 2017 18:30:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com; domainkeys=pass (1024-bit key) header.from=kenh@pobox.com header.d=pobox.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1eh8ZEx2lqzX for <kitten@ietfa.amsl.com>; Tue, 12 Sep 2017 18:30:58 -0700 (PDT)
Received: from sasl.smtp.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62A14132F2E for <kitten@ietf.org>; Tue, 12 Sep 2017 18:30:58 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id BA51F8E633; Tue, 12 Sep 2017 21:30:57 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to:cc :subject:in-reply-to:references:mime-version:content-type:date :message-id; s=sasl; bh=Yb9hXBemXA4KrgXVIiNinIInk94=; b=K8cw7BsM DydxyzZe+lfBOcwtHawewZ1UA7SolPljZTjBnmrvCDmQsYwbBMDiTobseRISGefj kOuEFhRFe8JXyUDvlT9c1eCZ68I3bUIVAbfk16Z/VIjq7+g37aYvFZYhkhOBJztR S43+yw7waMtekZtQLbDHaLOkxXxc2gjT2Tc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=from:to:cc :subject:in-reply-to:references:mime-version:content-type:date :message-id; q=dns; s=sasl; b=KOHSKbVWssRC88138IFaoAKm16ju6fw7tR uwW/cuuUPE9NzHt8inRZUl4Jqpqz74O09ID4+1RGTy08m3wp7V78egMgTATBEBaG LGzOrokKwG1ZVVl8vfpacKx3b3zaLXw47cxgxOdc+0IHilVm95kSc+e37mn8cptX ZTmyUjCIc=
Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id B1BEE8E632; Tue, 12 Sep 2017 21:30:57 -0400 (EDT)
Received: from paradise-falls.internal (unknown [96.255.19.39]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id 1F5738E631; Tue, 12 Sep 2017 21:30:57 -0400 (EDT)
From: Ken Hornstein <kenh@pobox.com>
To: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
cc: "kitten@ietf.org <kitten@ietf.org>" <kitten@ietf.org>
In-Reply-To: <2FB98F5F-3981-4EFF-8CFF-FF6B5B3D485C@oxy.edu>
References: <2FB98F5F-3981-4EFF-8CFF-FF6B5B3D485C@oxy.edu>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 12 Sep 2017 21:30:56 -0400
X-Pobox-Relay-ID: 31023D68-9823-11E7-88A8-9D2B0D78B957-90216062!pb-smtp2.pobox.com
Message-Id: <20170913013057.B1BEE8E632@pb-smtp2.pobox.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/-XRsX4HVVnp4Nf_SNa48RVUBTg8>
Subject: Re: [kitten] Any Interest in a Key Delivery Service?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 01:30:59 -0000
>I have run into a couple of cases where I wanted the kdc to provide -- >not a service ticket -- but an actual encryption key for some data at >rest. (Specifically an encrypted disk or a database.) It seems like a lot of people use KMIP for that. I think it would make sense to be able to use Kerberos to authenticate to KMIP, but in my brief interaction with some people who claimed to be KMIP people, they did not understand why I would want that (there is a super brief mention of Kerberos in the protocol document, but if you read it closely clearly they weren't serious about doing Kerberos authentication for real; the protocol would need a lot more specification to be something you could implement). --Ken
- [kitten] Any Interest in a Key Delivery Service? Henry B (Hank) Hotz, CISSP
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein
- Re: [kitten] Any Interest in a Key Delivery Servi… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein
- Re: [kitten] Any Interest in a Key Delivery Servi… Benjamin Kaduk
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein
- Re: [kitten] Any Interest in a Key Delivery Servi… Jeffrey Altman
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein