IETF Logo Mail Archive

Re: [kitten] [Curdle] I-D Action: draft-ietf-curdle-des-des-des-die-die-die-03.txt

Benjamin Kaduk <kaduk@mit.edu> Fri, 16 June 2017 04:07 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20FEF126DCA for <kitten@ietfa.amsl.com>; Thu, 15 Jun 2017 21:07:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rsCIZMhgiMpQ for <kitten@ietfa.amsl.com>; Thu, 15 Jun 2017 21:07:31 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5BCA1200F3 for <kitten@ietf.org>; Thu, 15 Jun 2017 21:07:30 -0700 (PDT)
X-AuditID: 1209190c-257ff700000025d9-65-594359818ef0
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 11.01.09689.18953495; Fri, 16 Jun 2017 00:07:29 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v5G47Sf2012738 for <kitten@ietf.org>; Fri, 16 Jun 2017 00:07:28 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v5G47Pl7013337 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <kitten@ietf.org>; Fri, 16 Jun 2017 00:07:27 -0400
Date: Thu, 15 Jun 2017 23:07:25 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: kitten@ietf.org
Message-ID: <20170616040724.GO39245@kduck.kaduk.org>
References: <149758570844.11259.2151834891785499164@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <149758570844.11259.2151834891785499164@ietfa.amsl.com>
User-Agent: Mutt/1.7.1 (2016-10-04)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrCIsWRmVeSWpSXmKPExsUixCmqrdsY6RxpsHahicXRzatYHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CV0XWsk62gU6Li1NQp7A2Mf4S6GDk5JARMJM49eM3UxcjFISSw mEni+85j7BDOcUaJtv8HoTKvmSR+/pnADtLCIqAq8ar3GiOIzSagItHQfZkZxBYREJbYvfUd mC0sECJxp/EFaxcjBwcv0Iq195RAwkICzhK33v4CG8MrIChxcuYTFhCbWUBL4sa/l0wg5cwC 0hLL/3GAhDkFXCTaz59hArFFBZQl/h6+xzKBkX8Wku5ZSLpnIXQvYGRexSibklulm5uYmVOc mqxbnJyYl5dapGuol5tZopeaUrqJERx4kjw7GM+88TrEKMDBqMTDq9DgFCnEmlhWXJl7iFGS g0lJlJdfDijEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhPdzsHOkEG9KYmVValE+TEqag0VJnFdC ozFCSCA9sSQ1OzW1ILUIJivDwaEkwdseAdQoWJSanlqRlplTgpBm4uAEGc4DNHyHK8jw4oLE 3OLMdIj8KUZFKXHezHCghABIIqM0D64XlBgksvfXvGIUB3pFmHc2yAoeYFKB634FNJgJaHDQ BQeQwSWJCCmpBsZTd4XzbBZEZP3/Y6f7MUN3b5Di1AVfvv3QKnp+8aaL/Mp/VferNRzq5R9f cLgsf/zq0zCn/TFXjRW3Mlnefpy17LHn9+cbvxYrpttUPDzWcD893WrX3cv+K6Pqe1+VL9pv 17j0taBm1O4d57ZpqkoeiFn/fbkuW+hnptsGEXLdgYfnnQ982OOnxFKckWioxVxUnAgAivKw GOcCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/-olXA5-RInLnQiBsUPDepuvXREE>
Subject: Re: [kitten] [Curdle] I-D Action: draft-ietf-curdle-des-des-des-die-die-die-03.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2017 04:07:33 -0000

Hi everyone,

As far as I know, this version is ready to be sent to the IESG for
approval.

The -03 adds this text (including known typo):

   Fortuntately, modern (i.e., supported) Kerberos implementations
   support a secure alternative to RC4, in the form of AES.  Windows has
   supported AES since 2007-2008 with the release of Windows Vista and
   Server 2008, respectively; MIT Kerberos [MITKRB5] has fully supported
   AES (including the GSSAPI mechanism) since 2004 with the release of
   version 1.3.2; Heimdal [HEIMDAL] has fully supported AES since 2005
   with the release of version 0.7.  Though there may still be issues
   running ten-year-old unsupported software in mixed environments with
   new software, issues of that sort seem unlikely to be unique to
   Kerberos, and the aministrators of such environments are expected to
   be capable of devising workarounds.

It would be good to get independent confirmation of those
dates/release numbers; the windows ones I took from Michiko's email
and the Heimdal one from Chaskiel's mail.  (I did the MIT research
myself, and picked 1.3.2 to include the GSSAPI mechanism instead of
1.3 which had the bare enctype.)

Thanks,

Ben



On Thu, Jun 15, 2017 at 09:01:48PM -0700, internet-drafts@ietf.org wrote:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the CURves, Deprecating and a Little more Encryption of the IETF.
> 
>         Title           : Deprecate 3DES and RC4 in Kerberos
>         Authors         : Benjamin Kaduk
>                           Michiko Short
> 	Filename        : draft-ietf-curdle-des-des-des-die-die-die-03.txt
> 	Pages           : 9
> 	Date            : 2017-06-15
> 
> Abstract:
>    The 3DES and RC4 encryption types are steadily weakening in
>    cryptographic strength, and the deprecation process should be begun
>    for their use in Kerberos.  Accordingly, RFC 4757 is moved to
>    Obsolete status, as none of the encryption types it specifies should
>    be used, and RFC 3961 is updated to note the deprecation of the
>    triple-DES encryption types.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-curdle-des-des-des-die-die-die/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-curdle-des-des-des-die-die-die-03
> https://datatracker.ietf.org/doc/html/draft-ietf-curdle-des-des-des-die-die-die-03
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-curdle-des-des-des-die-die-die-03
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle

v2.23.0 | Report a Bug | By Email