Re: [kitten] Kerberos Preauth Registration for OAuth2 device flow
Luke Howard <lukeh@padl.com> Wed, 10 November 2021 02:11 UTC
Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0D1A3A0FCF for <kitten@ietfa.amsl.com>; Tue, 9 Nov 2021 18:11:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GD8cE2WC9cwV for <kitten@ietfa.amsl.com>; Tue, 9 Nov 2021 18:11:55 -0800 (PST)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 762903A0FDC for <kitten@ietf.org>; Tue, 9 Nov 2021 18:11:54 -0800 (PST)
Received: by us.padl.com with ESMTP id 1AA2BmKH015864; Wed, 10 Nov 2021 02:11:50 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 1AA2BmKH015864
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1636510311; bh=yG5NXn5llOlTONGob1XG/97UmTNUh9YP5xz0URf0ki8=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=ZGHATlExGW8N9YIiHa9g52rqFf7jGh5niWz0gaVft5KWOHZ4Qab0nV+E1EVUBLB6e M0WqcbdwkOIJwGoKTyV3pBcQbOHY6pM/w+NOFxQGLM+yT/ti5c6COWvJtbxD3cKgrW oCu+6z2utaJnY1aqfGmVdQXUAa0Xiq6U0kD/ZZg+Yx7VbtUrErLmGjLD6WvHwjDtX/ R+Ax1Pt0lOIPGmvSxUYkyUTxhgoR7BQqX6Xwqat2U1I/NcH8GEpqZZNTq8mUnlnrHw gbCE5KgT7TqJlg1TrkBWQ++4o1hlVJcnL028pHVNyB5+5OAdJQAz+S3mMoE/TW1gZm 2DfRMqceJykwg==
From: Luke Howard <lukeh@padl.com>
Message-Id: <794E1F16-7319-41FC-A5B4-4C3DD93D0F0A@padl.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_639B8973-C586-4979-A814-BA138A7CE90E"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Date: Wed, 10 Nov 2021 13:11:47 +1100
In-Reply-To: <C5BD5132-FA9A-4E6B-AE8A-36A795E36EC3@lukehoward.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Pavel Březina <pbrezina@redhat.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
References: <tslr1bphs2g.fsf@suchdamage.org> <C5BD5132-FA9A-4E6B-AE8A-36A795E36EC3@lukehoward.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/3vmRjwCjT0hWdU_BxH1i-RGWxBU>
Subject: Re: [kitten] Kerberos Preauth Registration for OAuth2 device flow
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 02:12:08 -0000
[resending from subscribed email, sorry Sam/Pavel] Hi Sam, > AS far as I can tell, the reply key is never used (it is replaced) so a > long-term password is not needed. Talking my own book here (although, I have no commercial interest) – would the vendor consider defining as a GSS-API mechanism that could be used with draft-perez-krb-wg-gss-preauth? (I suppose, if it needs to work with MIT as opposed to Heimdal, this may be a non-starter as the GSS pre-authentication implementation for MIT is experimental and only supports an earlier version of the draft.) > 1) It appears to have the same issues with anonymous pkinit that OTP > has. > You probably do not want to use this FAST factor with a armor ticket you > got from anonymous pkinit. > If you do, you need to verify the KDC's identity elsewhere. Right, this is also something that came up with GSS pre-authentication. Of course, if FAST isn’t used then you also have the same problem. Can they use TLS inside the PA exchange to authenticate the KDC? Cheers, Luke
- [kitten] Kerberos Preauth Registration for OAuth2… Sam Hartman
- Re: [kitten] Kerberos Preauth Registration for OA… Luke Howard
- Re: [kitten] Kerberos Preauth Registration for OA… Greg Hudson
- Re: [kitten] Kerberos Preauth Registration for OA… Pavel Březina
- Re: [kitten] Kerberos Preauth Registration for OA… Sam Hartman
- Re: [kitten] Kerberos Preauth Registration for OA… Pavel Březina
- Re: [kitten] Kerberos Preauth Registration for OA… Sam Hartman
- Re: [kitten] Kerberos Preauth Registration for OA… Benjamin Kaduk
- Re: [kitten] Kerberos Preauth Registration for OA… Pavel Březina
- Re: [kitten] Kerberos Preauth Registration for OA… Greg Hudson
- Re: [kitten] Kerberos Preauth Registration for OA… Sam Hartman
- Re: [kitten] Kerberos Preauth Registration for OA… Greg Hudson
- Re: [kitten] Kerberos Preauth Registration for OA… Pavel Březina