IETF Logo Mail Archive

Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt

Greg Hudson <ghudson@mit.edu> Tue, 22 March 2016 12:47 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8949012D69A; Tue, 22 Mar 2016 05:47:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bJuYQNLYFUWx; Tue, 22 Mar 2016 05:47:45 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE77C12D690; Tue, 22 Mar 2016 05:47:44 -0700 (PDT)
X-AuditID: 12074423-3efff70000003d03-6e-56f13eeff68f
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 24.8A.15619.FEE31F65; Tue, 22 Mar 2016 08:47:43 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u2MClgnG032531; Tue, 22 Mar 2016 08:47:43 -0400
Received: from [18.101.8.177] (vpn-18-101-8-177.mit.edu [18.101.8.177]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u2MCldvl015776 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 22 Mar 2016 08:47:40 -0400
To: Rick van Rein <rick@openfortress.nl>, "Paul Miller (NT)" <paumil@microsoft.com>
References: <20160321223215.12211.35084.idtracker@ietfa.amsl.com> <56F0945E.5070804@openfortress.nl> <BLUPR0301MB1953F7DDC9FD35D3139F4F20CD800@BLUPR0301MB1953.namprd03.prod.outlook.com> <56F0EFBD.90800@openfortress.nl>
From: Greg Hudson <ghudson@mit.edu>
X-Enigmail-Draft-Status: N1110
Message-ID: <56F13EEB.70502@mit.edu>
Date: Tue, 22 Mar 2016 08:47:39 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <56F0EFBD.90800@openfortress.nl>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupkleLIzCtJLcpLzFFi42IRYrdT131v9zHM4MYmY4urqzoYLY5uXsVi 8WnZZmaLp6/usTmweCxZ8pPJo3XHX3aPDf+a2AKYo7hsUlJzMstSi/TtErgyXp57w1rQwV1x csENlgbGfxxdjJwcEgImEs/3H2TqYuTiEBJoY5KYdukGlLORUWLzloOMEM4RJokDl3cygbQI C3hL3DzWyQpiiwjESOze3AAWFxJ4wCixqo0ZpIFZoJ9R4v+XU4wgCTYBZYn1+7eyQOyTk+jt ngRm8wqoSHy+Mx1sEIuAqsTnn3vB6kUFIiSezD3JCFEjKHFy5hOwek4BXYkPO96wg9jMAnoS O67/YoWw5SWat85mnsAoOAtJyywkZbOQlC1gZF7FKJuSW6Wbm5iZU5yarFucnJiXl1qka6aX m1mil5pSuokRHOIuyjsYX/Z5H2IU4GBU4uFt2PAhTIg1say4MvcQoyQHk5Ior5vcxzAhvqT8 lMqMxOKM+KLSnNTiQ4wSHMxKIrzbrYFyvCmJlVWpRfkwKWkOFiVxXkYGBgYhgfTEktTs1NSC 1CKYrAwHh5IE7ytboEbBotT01Iq0zJwShDQTByfIcB6g4TdAaniLCxJzizPTIfKnGBWlxHnb QRICIImM0jy4XnAKSuXY+IpRHOgVYV47kCoeYPqC634FNJgJaLBL5DuQwSWJCCmpBkY5kRyZ V4lirTv32DkaxvfkzpprFJaQ1tDv+ehUrINpypG9P9vzG5Z9F5b1eZ1hUPjBtX9z1d1lq5/d +ShgbvlNuN2zuGOWR+y76fyXp342a883r39iq3WYsVnK51BCHeefqop+ZhcFiT6uCdPqyt6w c/ddWnv/4tpPwdJa0/xbPl7a6q46QYmlOCPRUIu5qDgRAMwz5NwcAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/17BQqyDU3jyCnnM7qoSUG1o9kZU>
Cc: "kitten@ietf.org" <kitten@ietf.org>, "draft-ietf-kitten-pkinit-freshness@ietf.org" <draft-ietf-kitten-pkinit-freshness@ietf.org>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 12:47:46 -0000

On 03/22/2016 03:09 AM, Rick van Rein wrote:
>> It is the responsibility of the client not to retry indefinitely.
> 
> May I suggest that you state that in the text?  The current draft is a procedure, and could benefit from invariant statements to clarify the cases that fall outside of the intended procedure.

If I understand correctly, we are worried about an infinite loop of
AS-REQ -> KDC_ERR_PREAUTH_EXPIRED -> AS-REQ -> ... due to the section 2.5.

If we need to alter this text anyway, I don't like the requirement that
"If a client receives a KDC_ERR_PREAUTH_EXPIRED KRB_ERROR message that
includes a freshness token, it MUST retry using the new freshness
token."  MUSTs are to be used when behavior "is actually required for
interoperation or to limit behavior which has potential for causing
harm" (RFC 2119 section 6).  A client which implements RFC 6113 could
respond to KDC_ERR_PREAUTH_EXPIRED the same way it already does, by
retrying from the beginning, without affecting interoperability or
causing harm.

I suggest the following text:

  If a client receives a KDC_ERR_PREAUTH_EXPIRED KRB_ERROR message that
  includes a freshness token, it SHOULD retry the PKINIT-authenticated
  AS-REQ using the new freshness token.  The client MAY restart the
  conversation instead.  The client MUST limit the number of retries to
  avoid looping forever in case of a misbehaving KDC.

v2.23.0 | Report a Bug | By Email