Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
Nico Williams <nico@cryptonector.com> Mon, 14 September 2015 15:11 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B655B1B3566 for <kitten@ietfa.amsl.com>; Mon, 14 Sep 2015 08:11:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GqP2zIWacCie for <kitten@ietfa.amsl.com>; Mon, 14 Sep 2015 08:11:18 -0700 (PDT)
Received: from homiemail-a87.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 632911B570C for <kitten@ietf.org>; Mon, 14 Sep 2015 08:11:18 -0700 (PDT)
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 872B126C0AA; Mon, 14 Sep 2015 08:11:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=znCtCU9+XLVnexFtLOxLQ4OzjNs=; b=BxoDgCCQQei 3dQiPHecARGYaH0qxRwYezItTLqU3cy4wyawcE+W+K7sYkkeZ8cI5cQV33o1u6QA 6nmbvcxtY5hMJfojEA4hpGSapnivmsJOiwwlhpId9ML7piDIWybbLvMHM1XAdoRU 4Whch/k5pi2xn3DvkUpu0UMatpGpNt7w=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (Authenticated sender: nico@cryptonector.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPA id 1237926C0A9; Mon, 14 Sep 2015 08:11:17 -0700 (PDT)
Date: Mon, 14 Sep 2015 10:11:16 -0500
From: Nico Williams <nico@cryptonector.com>
To: Rick van Rein <rick@openfortress.nl>
Message-ID: <20150914151115.GA13294@localhost>
References: <55F686EA.30206@openfortress.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <55F686EA.30206@openfortress.nl>
User-Agent: Mutt/1.5.21 (2010-09-15)
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/8bPSTa4A6mmk-sahDqmgs28_pfU>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2015 15:11:20 -0000
On Mon, Sep 14, 2015 at 10:35:54AM +0200, Rick van Rein wrote: > Think of service descriptions to find the realm for > HTTP/www.example.com, like > > _http.www.example.com. IN KREALM “realm” “EXAMPLE.COM” > _http.www.example.com. IN KREALM "service" "HTTP" Why call it KREALM if it can be used to find things other than Kerberos realm names? Why use this to find service names? The app knows the service name. (I know of no app that doesn't. Further, I don't know how one would say "I don't know the service name, figure it out" in GSS (though we could define "@foo.example" to mean that for GSS_C_NT_HOSTBASED_SERVICE), and finally, expecting "http@foo.example" in GSS to become HTTP/foo.example@EXAMPLE in Kerberos would fail on older implementations, thus why would one? (For better or worse, GSS apps are now stuck using "HTTP" as the service name for HTTP.) (For things like MSFT SQL Server, a discoverable service name could have been useful had the service name discovery process included the service's port number as an input, but that's a very odd thing. Putting the port number into the service name would have been plenty good enough in actuality.) > (when not found, searches move upward in the DNS tree but not beyond > the zone apex; the I-D specifies an efficient, DNS-folk-agreeable way > of doing this) I'll have to look. > but also think of realm descriptive information like See my first question above. > example.com. IN KREALM "realm" "EXAMPLE.COM" > example.com. IN KREALM "admin" "john/admin@EXAMPLE.COM" > example.com. IN KREALM "admin.uri" "http://www.example.com/contact.html" > example.com. IN KREALM "admin.uri" > "ldap://ldap.example.com/?cn=John+Smith,dc=example,dc=com" > example.com. IN KREALM "admin.cert" "admcert.example.com." > admcert.example.com. IN CERT ... I guess you meant TLSA? Is this really Kerberos-specific? The realm names are. The admin principal names are (but would you list them all?) The rest doesn't seem Kerberos-specific. If we think of realm names are "issuers" then in a sense a new TLSA RR usage would fit the bill (though that might not be useful for other reasons). > Now, the question surfaces what use cases of KREALM records could > exist. I've identified three or four: > > 1. Kerberos client (or his KDC) knows service name + hostname, and > wants to find a realm name Sure. > 2. Kerberos node wants to find the case-sensitive realm name for a > DNS name, in a secure manner I guess the difference between 1 and 2 is that the domainname in 2 might not be a hostname? > 3. Kerberos node wants to find automatic validation information for a > realm administrator (principal name) Can you be more specific? Usually the node will just know this (e.g., because the admin is providing their name at a prompt). > 4. Kerberos node wants to find manual contact information for a realm > administrator (perhaps through a URI and/or CERT record with an > X.509 or PGP certificate) This seems utterly generic, not Kerberos-specific. There might be many contacts for different sub-systems (storage, cloud, this, that, Kerberos). > 5. (optional) Kerberos client wants to perform service discovery > under a realm and/or at a DNS name But why not discover the service, then its realm (i.e., use-case 1). If you know the realm a priori then there's no need to discover the realm (unless it's to make sure the two match before going any further). ==== What if there are multiple realms/whatever defined? > Based on these, I should be able to formulate the keys and search > patterns for the data. I am aware that the keys will be vital for > trust in the information found! > > If you have anything to add (or remove) then please let me know! If we drop the Kerberos-specificity, what then happens politically with this proposal? Does this become a TXT replacement swiss knife that suddenly requires more work to obtain consensus? Nico --
- [kitten] Finding Kerberos Realm Descriptors in se… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Martin Rex
- Re: [kitten] Finding Kerberos Realm Descriptors i… Watson Ladd
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams