Re: [kitten] Murray Kucherawy's No Objection on draft-ietf-kitten-krb-spake-preauth-11: (with COMMENT)
Greg Hudson <ghudson@mit.edu> Thu, 18 January 2024 18:15 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 684A7C14F600 for <kitten@ietfa.amsl.com>; Thu, 18 Jan 2024 10:15:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEonKXIWPVrW for <kitten@ietfa.amsl.com>; Thu, 18 Jan 2024 10:15:17 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEFE6C14F6FB for <kitten@ietf.org>; Thu, 18 Jan 2024 10:15:16 -0800 (PST)
Received: from [100.64.0.1] (pool-173-76-238-212.bstnma.fios.verizon.net [173.76.238.212]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 40IIF8al003584 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 18 Jan 2024 13:15:10 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1705601711; bh=LV6bnKC7Svcl6dizOkl0DxZnsbqkexyZTaqdrxuY7ws=; h=Message-ID:Date:MIME-Version:Subject:From:Content-Type; b=N5QbvAY6WlX7lBDgxBYk3XvBTje1tMgc/KagmoSr0XD+nsnnwMpDwsheHLUe16bs5 5b45oeINE0Itwd24fIcA8n6p/xtPHn3sYBaM2G6iDAHqLVJfNDtrbVKsjd55rjAdDJ Tig7a7L86tOlkcJ17P75KzbtFnzSfFdyvANjrHy5euQvTUFbWH/z94KZ8qonPX9LAa uiARyFcm6rB+wdycWp47lEJKLrXu/NwfOfc0QNlynA1TyGlOEFqpk3rkoxxt30MCeq Mxn7I4U83bg+Ix+5Admcqz1HteG3VglbCtbdPu8eYjyGekg2nyC6qN39ghulMD/9m0 1ZJYhKhPW4h1A==
Message-ID: <d5d9e798-c6c1-4f15-a1f2-4e08580a70c4@mit.edu>
Date: Thu, 18 Jan 2024 13:15:08 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Murray Kucherawy <superuser@gmail.com>, The IESG <iesg@ietf.org>
Cc: draft-ietf-kitten-krb-spake-preauth@ietf.org, kitten-chairs@ietf.org, kitten@ietf.org, Nicolas Williams <nico@cryptonector.com>
References: <170559100930.21281.8142882686300667918@ietfa.amsl.com>
From: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <170559100930.21281.8142882686300667918@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/5J0aH4TbrtPnwXEd-kJsrHkCT_c>
Subject: Re: [kitten] Murray Kucherawy's No Objection on draft-ietf-kitten-krb-spake-preauth-11: (with COMMENT)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2024 18:15:21 -0000
On 1/18/24 10:16, Murray Kucherawy via Datatracker wrote:
> In Section 12, we're telling the Designated Experts that an I-D counts as a
> specification, even if it is never published as an RFC. But an I-D can expire.
> Are we OK with having an IANA registry with an entry that claims as its
> authoritative specification an expired I-D?
I assume this comment is not intended to be actionable by the draft
editors, as the situation will be rectified if the draft advances to
RFC. The IANA Kerberos preauthentication registry contains references
to numerous expired drafts besides this one.
> Section 12.2.2 appears to have four registrations all run together. Could we
> separate them somehow, either with line breaks or with subsections?
I will add subsections.
> Section 4.1: Why is this only a SHOULD? Is it OK if I do something different?
Per this and Roman's comment, I will add the parenthetical "(unless
configuration indicates otherwise)".
> Section 4.3: Same question.
I will change this to a MUST.
> 9. Hint for Authentication Sets
>
> Why MAY and not SHOULD?
I will change this to SHOULD. (To provide a little context,
pre-authentication sets from RFC 6113 have never been implemented to my
knowledge.)
> Phrasing around MUST NOT and must only could be clearer, and is possibly the
> reason for the MAYs?
I don't understand this comment. The sentence "A KDC MUST NOT include a
PA-SPAKE-HINT message directly in a pa-value field" is trying to
forestall the potential implementation error of placing a PA-SPAKE-HINT
in the pa-value field of a SPAKE pa-data element, rather than in a
pre-authentication set.
> 10.2 Unauthenticated Plaintext
>
>> Second factor
> types MUST account for this when specifying the semantics of the data
> field.
>
> It's not clear (to me) how to comply with this MUST, an example of citation
> might help.
The following sentence ("Second factor data in the challenge should not
be included in user prompts...") is an example of accounting for the
lack of initial integrity protection on the second-factor challenge. I
will add "In particular," at the beginning of that sentence to make that
more clear.
> In 10.4
>
> Several SHOULD's that maybe ought to be MUSTs?
I think there might be other methods to address cookie replay attacks in
a KDC implementation, or to mitigate the risk of falling back to
encrypted timestamp in a client.
> It would be nice to see clearer recommendations on achieving forward secrecy,
> and on rotating the cookie.
SPAKE pre-authentication provides forward secrecy against
post-compromise of the principal long-term key (typically a user
password), but does not help against post-compromise of the KDC's own
krbtgt keys. I don't really anticipate KDC implementations trying to
achieve forward secrecy against the latter threat. Accordingly, I will
remove the sentence talking about rotating the cookie encryption key.
- [kitten] Murray Kucherawy's No Objection on draft… Murray Kucherawy via Datatracker
- Re: [kitten] [Ext] Murray Kucherawy's No Objectio… Amanda Baber
- Re: [kitten] Murray Kucherawy's No Objection on d… Greg Hudson
- Re: [kitten] Murray Kucherawy's No Objection on d… Nico Williams
- Re: [kitten] Murray Kucherawy's No Objection on d… Murray S. Kucherawy
- Re: [kitten] Murray Kucherawy's No Objection on d… Nico Williams
- Re: [kitten] Murray Kucherawy's No Objection on d… Eric Vyncke (evyncke)
- Re: [kitten] Murray Kucherawy's No Objection on d… Simo Sorce
- Re: [kitten] Murray Kucherawy's No Objection on d… Murray S. Kucherawy
- Re: [kitten] Murray Kucherawy's No Objection on d… Nico Williams
- Re: [kitten] Murray Kucherawy's No Objection on d… Russ Allbery
- Re: [kitten] Murray Kucherawy's No Objection on d… Murray S. Kucherawy
- Re: [kitten] Murray Kucherawy's No Objection on d… Stephen Farrell
- Re: [kitten] Murray Kucherawy's No Objection on d… Murray S. Kucherawy
- Re: [kitten] Murray Kucherawy's No Objection on d… Eliot Lear
- Re: [kitten] Murray Kucherawy's No Objection on d… Murray S. Kucherawy
- Re: [kitten] Murray Kucherawy's No Objection on d… Greg Hudson
- Re: [kitten] Murray Kucherawy's No Objection on d… Eliot Lear