IETF Logo Mail Archive

Re: [kitten] PKCROSS

"Henry B. Hotz" <hotz@jpl.nasa.gov> Thu, 11 July 2013 22:54 UTC

Return-Path: <hotz@jpl.nasa.gov>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5448911E8139 for <kitten@ietfa.amsl.com>; Thu, 11 Jul 2013 15:54:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vVBq3r8HI19f for <kitten@ietfa.amsl.com>; Thu, 11 Jul 2013 15:54:45 -0700 (PDT)
Received: from mail.jpl.nasa.gov (sentrion2.jpl.nasa.gov [128.149.139.106]) by ietfa.amsl.com (Postfix) with ESMTP id 8007511E81B9 for <kitten@ietf.org>; Thu, 11 Jul 2013 15:54:45 -0700 (PDT)
Received: from dhcp-128-149-177-90.jpl.nasa.gov (dhcp-128-149-177-90.jpl.nasa.gov [128.149.177.90]) (authenticated (0 bits)) by smtp.jpl.nasa.gov (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r6BMsiht015506 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Thu, 11 Jul 2013 15:54:44 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <CAK3OfOj-g9WYcuLNk0bcWQ7TG3DLWJAnAPuDCKfSOZaF2YJZRA@mail.gmail.com>
Date: Thu, 11 Jul 2013 15:54:45 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <3E0FEBD9-CCB8-4DE2-A967-5521F9DD6C89@jpl.nasa.gov>
References: <CAK3OfOj-g9WYcuLNk0bcWQ7TG3DLWJAnAPuDCKfSOZaF2YJZRA@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
X-Mailer: Apple Mail (2.1508)
X-Source-Sender: hotz@jpl.nasa.gov
X-AUTH: Authorized
Cc: kitten@ietf.org
Subject: Re: [kitten] PKCROSS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2013 22:54:51 -0000

On Jul 11, 2013, at 2:40 PM, Nico Williams <nico@cryptonector.com> wrote:

> I note this text in the current charter:
> 
>  Prepare a standards-track protocol to solve the use cases addressed
>        by draft-hotz-kx509-01 including new support for digital
>        signatures.

Yeah, I really, really need to get back to this.

> The thought occurs that Kerberos + kx509 + PKINIT can be a sort of
> PKCROSS.  

Please elaborate?

The reason *I* would combine kx509 with PKINIT would be the use case of someone needing X.509 credentials on multiple client computers at once.  This is a real use case for us.

I was thinking of PKCROSS the other day as a possible solution to a rather specialized problem:  our realm-name conflict between Unix and AD kerberos.  You might think that for one-way trusts from another realm (like a smart-card-only realm) it would be OK to have both of them trust the other one.  Trouble is that with symmetric crypto if someone hacked the AD realm they could use the one-way trust key to forge other-realm cross-realm authentications to the Unix realm.  (Not picking on Microsoft.  The problem is symmetric.) I suspect that PKCROSS might allow a solution to that, though I have not read the draft to make sure.  I also suspect that it's too specialized a use case to justify the standards effort that would be required.

> That makes me very interested.  It shouldn't be very
> difficult to build that almost entirely out of off-the-shelf protocol
> pieces.  It's not trival though: we'd definitely need policy for
> handling PKIX trust paths,

I've lost a lot of interest in PKIX, per-se.  The overall revocation system is architecturally broken, and I can't tell if the co-chairs even understand the issues.  Instead we have vapor-ware like SCVP and TAMP.

> and it wouldn't minimize the need for PK
> crypto.
> 
> PKCROSS -or similar- is not in-charter at this time.


If we can address use cases which PKIX doesn't, then it sounds valuable.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

v2.23.0 | Report a Bug | By Email