Re: [kitten] Kerberos Service Discovery using DNS

Rick van Rein <rick@openfortress.nl> Wed, 11 March 2015 14:57 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A06A1A8792 for <kitten@ietfa.amsl.com>; Wed, 11 Mar 2015 07:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2qcEOfRs4ShZ for <kitten@ietfa.amsl.com>; Wed, 11 Mar 2015 07:57:42 -0700 (PDT)
Received: from lb3-smtp-cloud2.xs4all.net (lb3-smtp-cloud2.xs4all.net [194.109.24.29]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E97C91A00F6 for <kitten@ietf.org>; Wed, 11 Mar 2015 07:57:41 -0700 (PDT)
Received: from [10.0.1.225] ([83.161.146.46]) by smtp-cloud2.xs4all.net with ESMTP id 2Exd1q00R10HQrX01ExeVj; Wed, 11 Mar 2015 15:57:40 +0100
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: text/plain; charset="utf-8"
From: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <550053AE.2020701@mit.edu>
Date: Wed, 11 Mar 2015 15:57:37 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <8E0CF4DF-E9B0-4CA5-82AE-B0AF0D4EE089@openfortress.nl>
References: <1425578271.2715.5.camel@redhat.com> <2CB0CE49-2109-4666-9FFA-33538244E84E@openfortress.nl> <1426025143.16339.10.camel@redhat.com> <C8C3D9F0-5D74-493C-A75A-60AD5B765662@openfortress.nl> <550053AE.2020701@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/0YfLqh_jOcGipm6P9dwObbeSDGo>
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos Service Discovery using DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 14:57:45 -0000

Hi,

>> SRV records point to a hostname, not an IP address.  This hostname
>> is then acceptable for certificates in many protocols — but I’m not
>> sure if that applies to the KDC’s certificates for PKINIT as well.
> 
> RFC 4556 requires that the KDC certificate contain a SAN of type
> id-pkinit-san whose value is the TGT principal name for the realm, and
> also an extended key usage value of id-pkinit-KPKdc.

That takes my concern away.

-Rick