IETF Logo Mail Archive

Re: [kitten] Replacing Kerberos (Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03)

Luke Howard <lukeh@lukehoward.com> Mon, 20 February 2023 04:33 UTC

Return-Path: <lukeh@lukehoward.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54BC7C14CE24 for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 20:33:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lukehoward.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sZPIpY1yTYkn for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 20:33:26 -0800 (PST)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5507C14CEE3 for <kitten@ietf.org>; Sun, 19 Feb 2023 20:33:26 -0800 (PST)
Received: from auth (localhost [127.0.0.1]) by us.padl.com (8.14.7/8.14.7) with ESMTP id 31K4XE18022543 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <kitten@ietf.org>; Mon, 20 Feb 2023 04:33:22 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 31K4XE18022543
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lukehoward.com; s=default; t=1676867602; bh=zZzidbPvWWiiu1c80n6kTSZ3+afGD89a/IdpUB0K7f8=; h=From:Subject:Date:References:To:In-Reply-To:From; b=XLlae1k1BNm+n1RVDvua0tTmm152yw8nh1OxqQ164qphd0vrd8jP+GqpaSRb0zu3q /VyTBFGAw3G5KwDma9sJhT1j4ayg6owYvx4EPWHSkfTqeJLXW6Y1EvMVwIAImHqxao 0SMmzUatqh40ZNvIu0DAHqGSVhD41Oq9EN/iyiEdNYOu0hsl8tDjdEqgEVUooynRRD h9IR/1/S+OxzsLNcVQQWNOooS2ga7aonAhmfEEPCvUSCcf54Du7QTmzsCbtITtBF3I kdTxEB6c1Vnge3Om3bx7RPDAZYzFi+iFeeyt6vAWbcUHHPufkKOsP5HTgfTwCJog38 zQwVyhAeYlCFg==
From: Luke Howard <lukeh@lukehoward.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D2F209E6-F76B-4CE1-B453-0A2B30D29BF7"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Mon, 20 Feb 2023 15:33:14 +1100
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/GFY3wTO+TBg638@gmail.com>
To: "kitten@ietf.org" <kitten@ietf.org>
In-Reply-To: <Y/GFY3wTO+TBg638@gmail.com>
Message-Id: <3E71967A-D192-4439-A8AC-D94BA8FF0631@lukehoward.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/9q4jjUtHNHj6eKg332OEsrbujtQ>
Subject: Re: [kitten] Replacing Kerberos (Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2023 04:33:31 -0000

Ten years ago (!) I implemented (and, with Nico’s help, documented) a GSS-API/SASL mechanism based on Mozilla’s BrowserID protocol with the following properties:

JWT-based
ECDH key exchange
Key confirmation / mutual authentication
Fast symmetric key-based re-authentication
1.5 round trip variant for avoiding a replay cache
Kerberos-style naming
JWT “authorisation data” through RFC6680 naming extensions
RFC4121 message protection services / PRF
Advertisement of server certificates via NegoEx

BrowserID is dead but there are probably some things that could be salvaged from this to make a mech_dh replacement.

Links:

https://datatracker.ietf.org/doc/html/draft-howard-gss-browserid <https://datatracker.ietf.org/doc/html/draft-howard-gss-browserid>
https://github.com/PADL/libbrowserid <https://github.com/PADL/libbrowserid>

v2.23.0 | Report a Bug | By Email