IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Simo Sorce <simo@redhat.com> Tue, 21 February 2023 20:29 UTC

Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F16CC1782BF for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 12:29:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9godF8Jw7xHz for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 12:29:49 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A689C13A06D for <kitten@ietf.org>; Tue, 21 Feb 2023 12:29:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1677011388; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wUlGq599deu9sVw9Y41o+uyUyGiqEdiKPNlVSpbgnh8=; b=Q1qc8XcA19owa0fWYuORuzudClxK7tjVc5TEjNkVeaJXuYclb2tbe8utDssdkaM2+deOVj ARiXuVhWfr58FCx2w6IersEL743NHBkbLXCE3l9oSkGXDosCH7vB4t7dN60hLvPUL2M9jH fJKAThN4C7N2lXgQU5gs+hzh4p5iQCU=
Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-362-wdO6G7DRPGy8DWAO5OZKBw-1; Tue, 21 Feb 2023 15:29:47 -0500
X-MC-Unique: wdO6G7DRPGy8DWAO5OZKBw-1
Received: by mail-qk1-f199.google.com with SMTP id y1-20020a05620a09c100b0070630ecfd9bso2608588qky.20 for <kitten@ietf.org>; Tue, 21 Feb 2023 12:29:46 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:cc:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wUlGq599deu9sVw9Y41o+uyUyGiqEdiKPNlVSpbgnh8=; b=6PEKOxTPJ4omyA/wlvMcFrWW2G6gaSlYYrXMQYwpfKBpOOstFbp8ohGCYdJa5Jp3Nf Yx7ty3bLCuPtSh33h9KMlYWK0Q81Ri668ek8Khiew91NLHbwKfamrYpeZeRv1Is6tbll ZhICwqZPwdoD/GHnHjQZR79BIt6HeXpO2WvMAUf/aBThpX4Vmccgw9yf1Ee7yEsg9HyH 5hILHwe6+fU7LV3PMrqwsjpm8SbrQT5TRKEGfcgch9MHkgvbIV2a3K6q64rQmHbA/bsE zqfNnqWeD30FydzMH8QWhEc9YCxlD81dfvzlOzEu/sLbUAWYWi7VQXGg4zjHhBN/cUU+ kCVQ==
X-Gm-Message-State: AO0yUKXAA90v/QPZYc1pP++4bSAI8KHkTf2c/CA2JspBLYls7VMNwRzh BS0C7rb/6gJAxEW45ItWtEXggfakYkOYSMyAqwOuMjaY1OdX1vrRNgKuEzldKH31h26gzylOYOd BLP+OuHw=
X-Received: by 2002:a05:622a:182:b0:3b9:bd77:1971 with SMTP id s2-20020a05622a018200b003b9bd771971mr24565328qtw.42.1677011386576; Tue, 21 Feb 2023 12:29:46 -0800 (PST)
X-Google-Smtp-Source: AK7set/STMMTtcEOJG10Cb3clakho+mOH+GBcuMl4/q7pn2DP1XYIuF9pSXq5RJjDH7HLXT9ppz4/w==
X-Received: by 2002:a05:622a:182:b0:3b9:bd77:1971 with SMTP id s2-20020a05622a018200b003b9bd771971mr24565298qtw.42.1677011386228; Tue, 21 Feb 2023 12:29:46 -0800 (PST)
Received: from 2603-7000-9400-fe80-0000-0000-0000-07a7.res6.spectrum.com (2603-7000-9400-fe80-0000-0000-0000-07a7.res6.spectrum.com. [2603:7000:9400:fe80::7a7]) by smtp.gmail.com with ESMTPSA id fe15-20020a05622a4d4f00b003a527d29a41sm2503650qtb.75.2023.02.21.12.29.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Feb 2023 12:29:45 -0800 (PST)
Message-ID: <79d730c13949d649783a0e565a8c108abad944a1.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Nico Williams <nico@cryptonector.com>, "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Date: Tue, 21 Feb 2023 15:29:45 -0500
In-Reply-To: <Y/T/3wwBIMZ+2mf6@gmail.com>
References: <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com> <20230219194355.36139173DDE@pb-smtp2.pobox.com> <Y/K2IEhX6c+b05Ye@gmail.com> <Y/QT7BxdTHq0RYTz@gmail.com> <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com> <Y/Q7hdTOF1HaxQKM@gmail.com> <Y/RFX4XywCAlhCeB@gmail.com> <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com>
Organization: Red Hat
User-Agent: Evolution 3.46.4 (3.46.4-1.fc37)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/98V9QYAEF-H7UT7C0EOU9NL7A9I>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2023 20:29:53 -0000

On Tue, 2023-02-21 at 11:31 -0600, Nico Williams wrote:
> On Tue, Feb 21, 2023 at 04:44:15PM +0000, Steve Syfuhs (AP) wrote:
> > You might also consider Active Directory's (group) managed service
> > accounts. At least the group keying mechanism.
> 
> Where would I learn more about that?

FreeIPA has a similar feature geared towards unix systems where
traditionally different services use different keytabs.
It allows to delegate a specific service (say the host principal) the
ability to fetch keytabs for other services (not necessarily in the
same name either).

Old design page here, may look somewhat different these days:
https://www.freeipa.org/page/V4/Keytab_Retrieval_Management

Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc

v2.23.0 | Report a Bug | By Email