Re: [kitten] Comments on draft-ietf-kitten-krb-spake-preauth-00
Greg Hudson <ghudson@mit.edu> Mon, 14 August 2017 15:13 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19619132357 for <kitten@ietfa.amsl.com>; Mon, 14 Aug 2017 08:13:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJtyL4BZbMoa for <kitten@ietfa.amsl.com>; Mon, 14 Aug 2017 08:13:28 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B661C13234E for <kitten@ietf.org>; Mon, 14 Aug 2017 08:13:28 -0700 (PDT)
X-AuditID: 12074424-ee3ff70000005919-41-5991be178e3b
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id B3.00.22809.71EB1995; Mon, 14 Aug 2017 11:13:27 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v7EFDROa019782; Mon, 14 Aug 2017 11:13:27 -0400
Received: from [18.101.8.96] (VPN-18-101-8-96.MIT.EDU [18.101.8.96]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7EFDOQt005800 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 14 Aug 2017 11:13:26 -0400
To: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
References: <8B29C0AD-409C-4F56-91BB-558DEFCDDFDD@oxy.edu>
From: Greg Hudson <ghudson@mit.edu>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <3382b1b7-37f9-393b-73ca-7b3c841e67d9@mit.edu>
Date: Mon, 14 Aug 2017 11:13:24 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <8B29C0AD-409C-4F56-91BB-558DEFCDDFDD@oxy.edu>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixG6noiu+b2KkwbFvRhYf7y1ksTi6eRWL A5PHkiU/mTy2Nv1lDmCK4rJJSc3JLEst0rdL4Mo41H6KpeCaQMXniQ2MDYxLebsYOTkkBEwk /rz6wdbFyMUhJLCYSeJey3tmCGcjo8SJLc3sEM5BJomT/1YzdjFycAgLeEhc+SEE0i0iYCgx feVEVhBbSMBKYvbqb2A2m4CyxPr9W1lAbGYBdYmjz5vYQGxeoJrp026CxVkEVCV27dwJZosK REg87NzFDlEjKHFy5hOwOKeAtUTHpk9wc/7Mu8QMYctLNG+dzTyBUWAWkpZZSMpmISlbwMi8 ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdcLzezRC81pXQTIzhQXVR2MHb3eB9iFOBgVOLhnXF9 QqQQa2JZcWXuIUZJDiYlUd4En95IIb6k/JTKjMTijPii0pzU4kOMEhzMSiK8Se0TI4V4UxIr q1KL8mFS0hwsSuK84hqNEUIC6YklqdmpqQWpRTBZGQ4OJQneY3uAGgWLUtNTK9Iyc0oQ0kwc nCDDeYCGq+wFGV5ckJhbnJkOkT/FqCglztsK0iwAksgozYPrBSeSVI6EV4ziQK8I81qCtPMA kxBc9yugwUxAg/tAPuItLklESEk1MEbLW1bzXN7HxHJmz6yNbJGl67LXn1OWTHqidIXnC+Pp /4xTKvTmRkzzeGizW3vGogm1Lss6uX/mPQpvvnGl/k2V/zzV0nK3hHsG7NWfz4bar9GuuCJb +f80z/2njhWya139g3KjmkM+NG/Ycfe+mquaZl5k3URh6wgfl7WvH2pvqvmwp4HprRJLcUai oRZzUXEiAP7f23b/AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/5_HfvlIcUUxAQHeQkduWO68DWGw>
Subject: Re: [kitten] Comments on draft-ietf-kitten-krb-spake-preauth-00
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 15:13:30 -0000
Thanks very much for the review. I know that this draft is a bit denser
than some.
On 08/13/2017 03:24 PM, Henry B (Hank) Hotz, CISSP wrote:
> There are a number of TBDs which need finalizing. (pp 6, 9, 12, & 16)
I can assign padata and key usage numbers, but if the draft changes
incompatibility they might then need to be reassigned. So I plan to
wait until it looks like there is working group consensus on the
substantive parts of the document.
> Section3 should include pointers to where the prerequisites are specified. In the case of PA-FX-COOKIE and KDC_ERR_MORE_PREAUTH_DATA_REQUIRED that is rfc6113, section 5.2. PA-ETYPE-INFO2 is rfc4120, section 3.1.3.
I will add those. In the first prereq, this is a little
awkward--ETYPE-INFO2 support is old hat, but we require the relatively
new behavior (from RFC 6113) of sending only a single entry. My
proposed new text for that prereq is:
This mechanism requires the initial KDC pre-authentication state
to contain a singular reply key. Therefore, a KDC which offers
SPAKE pre-authentication as a stand-alone mechanism MUST supply
a PA-ETYPE-INFO2 value containing a single ETYPE-INFO2-ENTRY,
as described in [RFC6113] section 2.1. PA-ETYPE-INFO2 is
specified in [RFC4120] section 5.2.7.5.
> [NIT] Section 4.3, para 2: Delete the word “Next”. On my first reading that led me to think it was describing what to do after “the client completes. . .”. It actually describes the *first* thing to do (in the third pass). I’ve now read it enough times that I’m no longer qualified to say how important that is.
The word "Next" is intended, but I can see that "will complete its part
of the SPAKE process" is too vague--it is not clear that it is
describing a computation step with no protocol messages. I propose this
wording, combining the first two paragraphs:
Upon receipt of the challenge message, the client will complete
its part of of the SPAKE algorithm, generating a public key and
computing the shared secret K. Next, the client chooses one of the
second factor types [...]
- [kitten] Comments on draft-ietf-kitten-krb-spake-… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Comments on draft-ietf-kitten-krb-sp… Greg Hudson
- Re: [kitten] Comments on draft-ietf-kitten-krb-sp… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Comments on draft-ietf-kitten-krb-sp… Greg Hudson
- Re: [kitten] Comments on draft-ietf-kitten-krb-sp… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Comments on draft-ietf-kitten-krb-sp… Benjamin Kaduk
- Re: [kitten] Comments on draft-ietf-kitten-krb-sp… Benjamin Kaduk