Re: [kitten] taking on new work?
Nico Williams <nico@cryptonector.com> Wed, 05 April 2017 19:10 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3581E127A90 for <kitten@ietfa.amsl.com>; Wed, 5 Apr 2017 12:10:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.296
X-Spam-Level:
X-Spam-Status: No, score=-4.296 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, RCVD_IN_SORBS_SPAM=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIK4V0NlEBHR for <kitten@ietfa.amsl.com>; Wed, 5 Apr 2017 12:10:42 -0700 (PDT)
Received: from homiemail-a84.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 173C3128E19 for <kitten@ietf.org>; Wed, 5 Apr 2017 12:10:38 -0700 (PDT)
Received: from homiemail-a84.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a84.g.dreamhost.com (Postfix) with ESMTP id 9BFE8C00282C; Wed, 5 Apr 2017 12:10:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=HIlyNsNt8HD1YN um9KyuR+GkDTk=; b=aBfRbbMrW5iwSy9hpK9L2ZoDoWC009G2Bz79d/dxNb2z5l Bi4ANVb4F3rxHcxEoh+olJtgzBUt8fV1bV6/hT9JRF+Kz4/wdOQ9VbVy1Vnb1QkL QuNq8szGmlv63U6x/KOxiW1cqN6SKZOkTrOozG+C8D+sfZvebEaG4MK5SuiGo=
Received: from localhost (gzac12-mdf2-1.aoa.twosigma.com [208.77.215.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a84.g.dreamhost.com (Postfix) with ESMTPSA id 30956C00282B; Wed, 5 Apr 2017 12:10:37 -0700 (PDT)
Date: Wed, 05 Apr 2017 14:10:35 -0500
From: Nico Williams <nico@cryptonector.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: kitten@ietf.org
Message-ID: <20170405191034.GF4004@localhost>
References: <20170405045550.GJ30306@kduck.kaduk.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20170405045550.GJ30306@kduck.kaduk.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/7kYsVQxWKZ6obkb9gQ_puc2IKFw>
Subject: Re: [kitten] taking on new work?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 19:10:44 -0000
On Tue, Apr 04, 2017 at 11:55:50PM -0500, Benjamin Kaduk wrote: > Now that we've cleared a fair bit of backlog, publishing a few old > documents and getting ready to kick more up to the IESG, it seems > apropos to consider what "new" work to adopt (many of which have > been lingering as individual documents for a while and are not > exactly new). > > To give some historical perspective on the sense of the working > group, back in Buenos Aires the chairs had a (very broad!) list of: > draft-williams-kitten-krb5-pkcross > draft-williams-kitten-krb5-extra-rt > draft-williams-kitten-generic-naming-attributes > draft-williams-kitten-impersonation-naming-attr > draft-vanrein-kitten-rfbsasl > draft-vanrein-dnstxt-krb1 > draft-vanrein-krb5-kdh > draft-vanrein-kitten-krb5-pseudonymity > draft-mccallum-kitten-krb-spake-preauth > draft-kaduk-kitten-des-des-des-die-die-die > draft-howard-gssapi-aead > draft-mccallum-kitten-krb-service-discovery There's really a very large amount of work to do in KITTEN WG, but a very small amount of energy. The three primary implementors, and several additional derivative implementors, all have different agendas and insufficient energy for reviewing each others' work early on. I think a lot of the above, and others not on that list, could be done outside the IETF using IANA registries to avoid collisions and provide a modicum of documentation. We could then submit I-Ds and publish RFCs after we gain deployment experience. > What do people currently feel are the top one or two highest > priority items for the WG to consider? For me the highest priority areas would be: - AEAD (i.e., performance) - krb5-extra-rt (i.e., better user experience) - GSS naming attributes (first, because I need them, and secondly because I see others adding features that should be added as name attributes, but not doing it as name attributes, and that complicates my universe because I really want to pass around NAMEs or exported composite name tokens rather than security contexts) - We actually need to fix the Java bindings of GSS to say that GSSName implements Principal (that's a long story) I am also very interested in various of the ones you listed above: - Channel bound flag... - SPAKE - KDH - PKCROSS - TLS-1.3-based GSS mechanism - Specification of how to use Kerberos tickets as TLS 1.3 session resumption tickets I'm also interested in publishing at least an Informative track RFC explaining how to key services using ECDH, and clustered services using multi-party ECDH. A combination of PKCROS, PKINIT (or SPAKE), and ECDH-keyed services would yield a protocol that can easily recover from KDC database compromise, and combined with periodic realm public key rollover, and a cacheable PKIX-based LoA authz-data, could allow a level of cryptographic assurance that can compete with PKIX. But I wouldn't have the energy for that any time soon. Nico --
- Re: [kitten] taking on new work? Benjamin Kaduk
- Re: [kitten] taking on new work? Benjamin Kaduk
- [kitten] taking on new work? Benjamin Kaduk
- Re: [kitten] taking on new work? Rick van Rein
- Re: [kitten] taking on new work? Jeffrey Altman
- Re: [kitten] taking on new work? Benjamin Kaduk
- Re: [kitten] taking on new work? Jeffrey Altman
- Re: [kitten] taking on new work? Benjamin Kaduk
- Re: [kitten] taking on new work? Benjamin Kaduk
- Re: [kitten] taking on new work? Jeffrey Altman
- Re: [kitten] taking on new work? Greg Hudson
- Re: [kitten] taking on new work? Nico Williams
- Re: [kitten] taking on new work? Benjamin Kaduk
- Re: [kitten] taking on new work? Nico Williams
- Re: [kitten] taking on new work? Benjamin Kaduk
- Re: [kitten] taking on new work? Robbie Harwood
- Re: [kitten] taking on new work? Cantor, Scott
- Re: [kitten] taking on new work? Matt Rogers