IETF Logo Mail Archive

[kitten] Options for IAKERB compatibility issue

Greg Hudson <ghudson@MIT.EDU> Mon, 06 May 2013 18:34 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 122FF21F930C for <kitten@ietfa.amsl.com>; Mon, 6 May 2013 11:34:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gi3W29dtm8s7 for <kitten@ietfa.amsl.com>; Mon, 6 May 2013 11:34:31 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (DMZ-MAILSEC-SCANNER-2.MIT.EDU [18.9.25.13]) by ietfa.amsl.com (Postfix) with ESMTP id 7947621F92F5 for <kitten@ietf.org>; Mon, 6 May 2013 11:34:31 -0700 (PDT)
X-AuditID: 1209190d-b7f716d000005557-e8-5187f7b60518
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 20.F1.21847.6B7F7815; Mon, 6 May 2013 14:34:30 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id r46IYTpI028616 for <kitten@ietf.org>; Mon, 6 May 2013 14:34:30 -0400
Received: from localhost (EQUAL-RITES.MIT.EDU [18.18.1.59]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id r46IYS6I006783 for <kitten@ietf.org>; Mon, 6 May 2013 14:34:29 -0400
From: Greg Hudson <ghudson@MIT.EDU>
To: kitten@ietf.org
Date: Mon, 06 May 2013 14:34:23 -0400
Message-ID: <x7d4neg555c.fsf@equal-rites.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrCIsWRmVeSWpSXmKPExsUixCmqrLvte3ugwf8zChZHN69icWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxpOtb5kKTvFVXJpym7WB8Q53FyMnh4SAicTCvk0sELaYxIV7 69lAbCGBfYwSBw97QNjHGCXerSvsYuQCstuZJA49PMAEkmATUJY4ePYbWLOIgLDE7q3vmEFs YQF9ib9THrCD2CwCqhLz3x8BGsrBwStgKHHtWw5ImFdAUOLkzCdgrcwCWhI3/r1kmsDIMwtJ ahaS1AJGplWMsim5Vbq5iZk5xanJusXJiXl5qUW6Rnq5mSV6qSmlmxjBgSHJu4Px3UGlQ4wC HIxKPLwKp9oDhVgTy4orcw8xSnIwKYnyhnwFCvEl5adUZiQWZ8QXleakFh9ilOBgVhLhrVwD lONNSaysSi3Kh0lJc7AoifNeSbnpLySQnliSmp2aWpBaBJOV4eBQkuAN+gbUKFiUmp5akZaZ U4KQZuLgBBnOAzT8PUgNb3FBYm5xZjpE/hSjopQ4by1IQgAkkVGaB9cLi9xXjOJArwjzeoJU 8QCjHq77FdBgJqDBCXxgg0sSEVJSDYxm27tO7eA8Nt9SVqJ9x6033rZuGzuOPfrDP1PnzhSO 9NNWra6Tna+6Ot2LSLh2cdLZZofrhzWPrVKYuUWAqWWm7a57CT9vvtPxZRb91/XOVe3Cq7rG e1Fn1n7yf19hdLgneWef1eY9Qscui/+0lX7nP+do4V3DbZxSljw2kobrtspme78R23BXiaU4 I9FQi7moOBEAYTzYALcCAAA=
Subject: [kitten] Options for IAKERB compatibility issue
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 May 2013 18:34:37 -0000

Here are some options for addressing the superficial incompatibilities
between MIT's implementation of draft-zhu-ws-kerb and the current
draft-kitten-ietf-iakerb (see [1] and [2] for details).

1. We can ignore the problem.  MIT's implementation won't be compatible
   with the standard and we won't be able to make it compatible without
   breaking compatibility with ourselves.

2. We can revert to the draft-zhu-ws-kerb superficialities.  This works
   great for MIT, but presents OSX with the same problem as MIT would
   have in #1.

3. We can make the standard semi-compatible with both implementations:
   - always generate generic token framing
   - process framed or unframed messages after the first initiator token
   - acceptors must process either kind of finished extension
   - initiators may send either kind of finished extension
   A standard acceptor would work with MIT and OSX initiators.  A
   standard initiator can only be compatible with MIT or OSX acceptors
   (it has to guess which type of finished extension to send), but will
   always be compatible with a standard acceptor.

4. Possibly in addition to #3, we could extend IAKERB-HEADER with a new
   field that acts as an "I implement the standard" cue.  This option
   would give MIT a path to generating the pku2u-style of finished
   extension, but it doesn't create a better compatibility matrix than
   just requiring acceptors to allow both kinds of finished extension.

5. We can define a new mech OID for the standard.  I don't like this
   option because I don't like proliferating krb5 mech OIDs.  It also
   means the standard wouldn't interoperate with either OSX's or Apple's
   implementation.

[1] http://www.ietf.org/mail-archive/web/kitten/current/msg03919.html
[2] http://www.ietf.org/mail-archive/web/kitten/current/msg03984.html

v2.23.0 | Report a Bug | By Email