Re: [kitten] shepherd review of draft-ietf-kitten-krb-auth-indicator-02
Benjamin Kaduk <kaduk@MIT.EDU> Mon, 26 September 2016 22:58 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47F3212B36D; Mon, 26 Sep 2016 15:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.517
X-Spam-Level:
X-Spam-Status: No, score=-6.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5BhoN7roMMsz; Mon, 26 Sep 2016 15:58:38 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FEB412B369; Mon, 26 Sep 2016 15:58:38 -0700 (PDT)
X-AuditID: 1209190c-9efff7000000241d-1f-57e9a81bd2f1
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 2E.7C.09245.B18A9E75; Mon, 26 Sep 2016 18:58:36 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u8QMwYCn027173; Mon, 26 Sep 2016 18:58:35 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u8QMwVq4011798 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 26 Sep 2016 18:58:34 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u8QMwV64004786; Mon, 26 Sep 2016 18:58:31 -0400 (EDT)
Date: Mon, 26 Sep 2016 18:58:31 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Greg Hudson <ghudson@MIT.EDU>
In-Reply-To: <c0921ba3-7b3e-4716-736b-b73518dafe93@mit.edu>
Message-ID: <alpine.GSO.1.10.1609261855430.5272@multics.mit.edu>
References: <alpine.GSO.1.10.1609251734290.5272@multics.mit.edu> <c0921ba3-7b3e-4716-736b-b73518dafe93@mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrNIsWRmVeSWpSXmKPExsUixCmqrCuz4mW4wZ5pMhaHb+xitzi6eRWL A5PHkiU/mQIYo7hsUlJzMstSi/TtErgy/n5+wlgwRaxiyc2dzA2MKwW7GDk5JARMJH5e2sbe xcjFISTQxiRx9cFxKGcjo8SUlRuZIJxDTBIv1z9gg3AaGCUezfvDAtLPIqAtcb73G5jNJqAi MfPNRjYQW0RAUeL3yreMIDazgJPEsq2d7CC2sECQRNumI6xdjBwcnALWElPWpYGEeQUcJM72 NzGChIUE8iXmLrADCYsK6Eis3j+FBaJEUOLkzCcsEBO1JJZP38YygVFgFpLULCSpBYxMqxhl U3KrdHMTM3OKU5N1i5MT8/JSi3QN9XIzS/RSU0o3MYLDUJJnB+OZN16HGAU4GJV4eC3KX4YL sSaWFVfmHmKU5GBSEuXtnAkU4kvKT6nMSCzOiC8qzUktPsQowcGsJMLLuRwox5uSWFmVWpQP k5LmYFES5+2acSBcSCA9sSQ1OzW1ILUIJivDwaEkwSsO0ihYlJqeWpGWmVOCkGbi4AQZzgM0 XAxseHFBYm5xZjpE/hSjopQ4r/IyoIQASCKjNA+uF5wmdjOpvmIUB3pFmLcFpJ0HmGLgul8B DWYCGrz0xAuQwSWJCCmpBsYj19c+uxNx5Oi7o5F+DUv7nb3/aaq5ifzPtGCL3KIotJ7N94fW dqnjlxJNtq3M31Ab73pLboH/bldGHr6mMwuM0lak3d5teecP8/zTMRUb9dK/lSxvk9v3ysNn z+G+39P2LP/yOORM9r99m6wMHXZUL015VVT0fFamoe6RGcKH7RconN6kwpCoxFKckWioxVxU nAgAmLS0Ce4CAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/7Xgq7OMqCGUT1V9NcRW19626KlE>
Cc: kitten@ietf.org, draft-ietf-kitten-krb-auth-indicator@ietf.org
Subject: Re: [kitten] shepherd review of draft-ietf-kitten-krb-auth-indicator-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2016 22:58:40 -0000
On Mon, 26 Sep 2016, Greg Hudson wrote: > On 09/25/2016 07:20 PM, Benjamin Kaduk wrote: > > It feels like some parts of the document are written as if the "short > > strings" for comparison against known values are only for use when > > presented back to the KDC, but other parts of the document describe it as > > being used for policy decisions made by application services as well as > > the KDC. > > Application servers can use auth indicators. What parts of the document > imply that they are only used by the KDC? I don't think there's anything explicit, just some implicit implication by way of not concretely specifying the structure enough to be fully portable without site-local configuration. > > So, I think that section 3 should be more stringent, saying something like > > "strings that contain a colon character MUST be URIs that reference a > > Level of Assurance Profile, leaving other strings available for > > site-local use". > > The existing text in section 3 is pretty clear to me, but if we need to > make it more clear, I suggest replacing: > > These > strings MAY be site-defined strings that do not contain a colon such > as the name of the Pre-Authentication mechanism used, or > alternatively URIs that reference a Level of Assurance Profile > [RFC6711]. > > with: > > Each string MUST be either: > > * A URI which references a Level of Assurance Profile [RFC6711]. > > * A site-defined string, which MUST NOT contain a colon, whose > meaning is determined by the realm administrator. That seems like an improvement to me, in that it is more likely to result in interoperable implementations. > > I also suspect that the last paragraph of the security considerations > > should be rewritten in a normative fashion and moved to section 3, to make > > it clear what the presence of a given string in the authdata indicates. > > (Do we know of reasons why someone might use this AD element to indicate > > something other than a positive indication that the indicated requirements > > were met during the initial authentication?) > > That seems like a reasonable change to me. > > > There's also some matter of form regarding the string > > "AD-AUTHENTICATION-INDICATOR", which should probably just be used for the > > definition of the ASN.1 type; the value 97 is the ad-type for which the > > contents of-the ad-data field will be the DER encoding of the > > AD-AUTHENTICATION-INDICATOR object. So, I would just say "The KDC MAY > > include authorization data of ad-type 97, wrapped in AD-CAMMAC, [...]" and > > skip the line that's just > > > > AD-AUTHENTICATION-INDICATOR 97 > > > > (and replace the colon with a full stop). > > That change also seems okay to me. Thanks for the review. -Ben
- [kitten] shepherd review of draft-ietf-kitten-krb… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-ietf-kitten… Greg Hudson
- Re: [kitten] shepherd review of draft-ietf-kitten… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-ietf-kitten… Nathaniel McCallum
- Re: [kitten] shepherd review of draft-ietf-kitten… Nathaniel McCallum
- Re: [kitten] shepherd review of draft-ietf-kitten… Benjamin Kaduk
- [kitten] intended status and Updates: 4120 for dr… Benjamin Kaduk
- Re: [kitten] intended status and Updates: 4120 fo… Greg Hudson