Re: [kitten] Authentication indicator - Do we need client indicator ?
Greg Hudson <ghudson@mit.edu> Wed, 18 February 2015 16:14 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5A9C1A89C5 for <kitten@ietfa.amsl.com>; Wed, 18 Feb 2015 08:14:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9YTugZ8wZ1Vn for <kitten@ietfa.amsl.com>; Wed, 18 Feb 2015 08:14:14 -0800 (PST)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48B331A89F5 for <kitten@ietf.org>; Wed, 18 Feb 2015 08:14:09 -0800 (PST)
X-AuditID: 1209190d-f792d6d000001fc7-4e-54e4ba4f2d63
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 74.DB.08135.05AB4E45; Wed, 18 Feb 2015 11:14:08 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t1IGE79j003222; Wed, 18 Feb 2015 11:14:07 -0500
Received: from [18.101.8.186] (vpn-18-101-8-186.mit.edu [18.101.8.186]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t1IGE5bK002542 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 18 Feb 2015 11:14:06 -0500
Message-ID: <54E4BA4D.3030405@mit.edu>
Date: Wed, 18 Feb 2015 11:14:05 -0500
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Simo Sorce <simo@redhat.com>, kitten@ietf.org
References: <1424275015.6980.23.camel@willson.usersys.redhat.com>
In-Reply-To: <1424275015.6980.23.camel@willson.usersys.redhat.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsUixG6nrhuw60mIwYNHLBZHN69isfgxdxGr A5PHkiU/mTze77vKFsAUxWWTkpqTWZZapG+XwJVx+oR2wXXmiv0HTjM2MH5n6mLk5JAQMJF4 27ONBcIWk7hwbz1bFyMXh5DAYiaJ5zu2M0M4Gxkllm54wwrhHGGSWHzxNCNIC6+AmsSb68fY uxg5OFgEVCW+btEECbMJKEus378VbKqoQJjE9807mCHKBSVOznwCFhcRMJSYv+sRK4gtLBAg 0dvTCTZGSMBR4tt2A5Awp4CTxLb2w2wgNrOAnsSO679YIWx5ie1v5zBPYBSYhWTqLCRls5CU LWBkXsUom5JbpZubmJlTnJqsW5ycmJeXWqRrpJebWaKXmlK6iREUpJySvDsY3x1UOsQowMGo xMPbwfQkRIg1say4MvcQoyQHk5Io77wdQCG+pPyUyozE4oz4otKc1OJDjBIczEoivLkrgXK8 KYmVValF+TApaQ4WJXHeTT/4QoQE0hNLUrNTUwtSi2CyMhwcShK8hjuBGgWLUtNTK9Iyc0oQ 0kwcnCDDeYCG+4DU8BYXJOYWZ6ZD5E8x6nIsaN8/k0mIJS8/L1VKHGKQAEhRRmke3BxYcnnF KA70ljBvAEgVDzAxwU16BbSECWjJ/D+PQJaUJCKkpBoYL8un/hVn+ih/ZcbdBs/C3GxDmRsp H09NkPp/t68nzLlS9l6wt/uTi1mO3bxeW5zcPWs3B7xhfvv2Flf1myOLCuSN5005fWTRvNVn N95uSrizuzzmSpFbet9naxv75M5vzztuMGz/Iv1u5kvplaZFU1ssd2xsVHDN/GN1bdvpw3ci DY9sib3wQ4mlOCPRUIu5qDgRAAPuRdUJAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/8wS31BakWnUn1YO9BXHWO1twr18>
Subject: Re: [kitten] Authentication indicator - Do we need client indicator ?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 16:14:15 -0000
On 02/18/2015 10:56 AM, Simo Sorce wrote: > In AD-CAMMAC we mention that if the KDC want to make sure to bind the > CAMMAC to a specific client principal, then this need to be done with > data embedded into an AD within CAMMAC, but in AD-CAMMAC we specify no > AD type to do that. CAMMACs are already bound to a client principal name. You are probably thinking of the final paragraph of the security considerations, which refers to the service principal name.