IETF Logo Mail Archive

Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt

Rick van Rein <rick@openfortress.nl> Tue, 22 March 2016 07:09 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC40712D1AD; Tue, 22 Mar 2016 00:09:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z6GIuBlTKfoE; Tue, 22 Mar 2016 00:09:56 -0700 (PDT)
Received: from lb3-smtp-cloud2.xs4all.net (lb3-smtp-cloud2.xs4all.net [194.109.24.29]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95A5012D603; Tue, 22 Mar 2016 00:09:55 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud2.xs4all.net with ESMTP id Yv9q1s00X10HQrX01v9sSe; Tue, 22 Mar 2016 08:09:52 +0100
Message-ID: <56F0EFBD.90800@openfortress.nl>
Date: Tue, 22 Mar 2016 08:09:49 +0100
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: "Paul Miller (NT)" <paumil@microsoft.com>
References: <20160321223215.12211.35084.idtracker@ietfa.amsl.com> <56F0945E.5070804@openfortress.nl> <BLUPR0301MB1953F7DDC9FD35D3139F4F20CD800@BLUPR0301MB1953.namprd03.prod.outlook.com>
In-Reply-To: <BLUPR0301MB1953F7DDC9FD35D3139F4F20CD800@BLUPR0301MB1953.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/9d0w6fZH0ho10P4PwQHO0zYSU1Y>
Cc: "kitten@ietf.org" <kitten@ietf.org>, "draft-ietf-kitten-pkinit-freshness@ietf.org" <draft-ietf-kitten-pkinit-freshness@ietf.org>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 07:09:58 -0000

Hi Paul,

> The KDC is stateless, so as far as the KDC is concerned there is nothing to do about that cycle.

And so it should be.  If anything is done to defend against infinite looping clients it should probably take the form of bulk defense against attackish patterns.

> It is the responsibility of the client not to retry indefinitely.

May I suggest that you state that in the text?  The current draft is a procedure, and could benefit from invariant statements to clarify the cases that fall outside of the intended procedure.

Thanks,
 -Rick

v2.23.0 | Report a Bug | By Email