IETF Logo Mail Archive

Re: [kitten] Comments on draft-ietf-kitten-krb-spake-preauth-00

Greg Hudson <ghudson@mit.edu> Mon, 14 August 2017 18:01 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B2A81323F7 for <kitten@ietfa.amsl.com>; Mon, 14 Aug 2017 11:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AiC8hadyP5mE for <kitten@ietfa.amsl.com>; Mon, 14 Aug 2017 11:01:52 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A28461323CA for <kitten@ietf.org>; Mon, 14 Aug 2017 11:01:52 -0700 (PDT)
X-AuditID: 12074423-757ff700000014c4-6a-5991e58f58db
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id C7.5B.05316.F85E1995; Mon, 14 Aug 2017 14:01:51 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v7EI1omQ013113; Mon, 14 Aug 2017 14:01:51 -0400
Received: from [18.101.8.96] (VPN-18-101-8-96.MIT.EDU [18.101.8.96]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7EI1mOo031805 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 14 Aug 2017 14:01:49 -0400
To: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
References: <8B29C0AD-409C-4F56-91BB-558DEFCDDFDD@oxy.edu> <3382b1b7-37f9-393b-73ca-7b3c841e67d9@mit.edu> <373E00D6-4459-4466-9FDF-BB70F8EDB403@oxy.edu>
Cc: "kitten@ietf.org" <kitten@ietf.org>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <b3cb2607-dad0-c44e-7eca-20e6743b231e@mit.edu>
Date: Mon, 14 Aug 2017 14:01:48 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <373E00D6-4459-4466-9FDF-BB70F8EDB403@oxy.edu>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLIsWRmVeSWpSXmKPExsUixG6notv/dGKkwbZN8hYf7y1ksTi6eRWL A5PHkiU/mTy2Nv1lDmCK4rJJSc3JLEst0rdL4MpYe2kve0EXX8Wnv+vZGhgncXcxcnJICJhI bLjdx9bFyMUhJLCYSWLds9usEM5GRokD3SdYIJyDTBLPrr9l7GLk4BAW8JC48kMIpFtEwFBi +sqJUA1zGCWeLJ3PApJgFlCXOPq8iQ3EZhNQlli/fytYnFfASuLk1WuMIDaLgKrE+kvLwWpE BSIkHnbuYoeoEZQ4OfMJWD2ngLXE4ylP2WBm/pl3iRnClpdo3jqbeQKjwCwkLbOQlM1CUraA kXkVo2xKbpVubmJmTnFqsm5xcmJeXmqRrplebmaJXmpK6SZGcKi6KO9gfNnnfYhRgINRiYeX 48LESCHWxLLiytxDjJIcTEqivAk+vZFCfEn5KZUZicUZ8UWlOanFhxglOJiVRHiT2oHKeVMS K6tSi/JhUtIcLErivOIajRFCAumJJanZqakFqUUwWRkODiUJ3g+PgRoFi1LTUyvSMnNKENJM HJwgw3mAhss8ARleXJCYW5yZDpE/xagoJc5rApIQAElklObB9YJTSSpHwitGcaBXhHmvglTx ANMQXPcroMFMQIP7QD7iLS5JREhJNTByuYZNj8xckG73T+JWhhl/hqfbL41jD/4vlwm0PKrk 8TXnqqDZOx/ujRPZvm50CORqDDZsTNH80DyVa1t8TO1j0f+Mv2ZtVdkWO1HCpqLX49kane55 a4LXOze6PNZ963Fxjt5pJlb2d1Pec8b8W3pd5M0Zkw3dGz9ziM3YrHvb6Hq2TWlrd6YSS3FG oqEWc1FxIgDOtLf0AAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/-eA5RXy-ZE7Hmc4roFfhjx0DYlc>
Subject: Re: [kitten] Comments on draft-ietf-kitten-krb-spake-preauth-00
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 18:01:54 -0000

On 08/14/2017 01:30 PM, Henry B (Hank) Hotz, CISSP wrote:
>>> [NIT] Section 4.3, para 2: Delete the word “Next”. On my first reading that led me to think it was describing what to do after “the client completes. . .”. It actually describes the *first* thing to do (in the third pass). I’ve now read it enough times that I’m no longer qualified to say how important that is.
>>
>> The word "Next" is intended, but I can see that "will complete its part
>> of the SPAKE process" is too vague--it is not clear that it is
>> describing a computation step with no protocol messages.  I propose this
>> wording, combining the first two paragraphs:
>>
>>    Upon receipt of the challenge message, the client will complete
>>    its part of of the SPAKE algorithm, generating a public key and
>>    computing the shared secret K. Next, the client chooses one of the
>>    second factor types [...]
> 
> Hmmm. I still wasn’t interpreting it right. If you say “next” I wonder what the preceding “first” or “next” was. I didn’t have an explicit referent to halt my mental search. In this case I think it’s:

Perhaps using "then" instead of next will help?  Current proposed
wording (with some minor edits to the later sentences):

    Upon receipt of the challenge message, the client will complete
    its part of of the SPAKE algorithm, generating a public key and
    computing the shared secret K. The client will then choose one of
    the second factor types listed in the factors field of the challenge
    message and gather whatever data is required for the chosen second
    factor type, possibly using the associated challenge data. Finally,
    the client will send an AS-REQ containing a PA-SPAKE PA-DATA
    element using the response choice.

v2.23.0 | Report a Bug | By Email