IETF Logo Mail Archive

Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt

Rick van Rein <rick@openfortress.nl> Wed, 30 September 2015 13:22 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A7A71A8034 for <kitten@ietfa.amsl.com>; Wed, 30 Sep 2015 06:22:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.099
X-Spam-Level:
X-Spam-Status: No, score=0.099 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VsgWsDnFdBTW for <kitten@ietfa.amsl.com>; Wed, 30 Sep 2015 06:22:00 -0700 (PDT)
Received: from lb2-smtp-cloud6.xs4all.net (lb2-smtp-cloud6.xs4all.net [194.109.24.28]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8BF81A854C for <kitten@ietf.org>; Wed, 30 Sep 2015 06:21:58 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud6.xs4all.net with ESMTP id PRMs1r00F10HQrX01RMtvX; Wed, 30 Sep 2015 15:21:56 +0200
Message-ID: <560BE1EF.7030405@openfortress.nl>
Date: Wed, 30 Sep 2015 15:21:51 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>
References: <20150915143628.21162.89108.idtracker@ietfa.amsl.com> <55F82DA5.10504@openfortress.nl> <alpine.GSO.1.10.1509172254390.26829@multics.mit.edu> <55FBF0C8.6090904@openfortress.nl> <20150918140247.GB13294@localhost> <20150918153219.GP21942@mournblade.imrryr.org> <55FC4A37.9020305@openfortress.nl> <55FD5F8B.8050807@openfortress.nl> <55FD8806.5070909@mit.edu> <560136F2.3010509@openfortress.nl> <56016C88.6060708@mit.edu>
In-Reply-To: <56016C88.6060708@mit.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/AbmkJzfTJEP5byhbHKSpFgQF9cY>
Cc: kitten@ietf.org
Subject: Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 13:22:05 -0000

Hi Greg / others,

I'm rereading the canonicalization RFC, and it does seem to already provide the "case correction extension" that we said we'd need.

Greg, does this make you see things differently?  If not, I will continue with TXT instead of PTR.

>> Do you agree that the conceptual model and inefficient theoretic implementation
>> is in line with what RFC 4120 prescribes, and that the case-correction is
>> merely a more efficient manner of getting to the right answer?  (That would
>> need some explaining in the I-D of course.)
>
> I do not agree.  RFC 4120 says, "Before sending a request to the
> ticket-granting service, the client MUST determine in which realm the
> application server is believed to be registered."  It doesn't talk about
> determining a set of possible realms--certainly not a combinatoric set
> of 2^N possible realms where N is the number of case-varying characters.
>  What you are talking about is unquestionably an extension to RFC 4120.

RFC 6806 section 9 adds

   RFC 4120 permits a KDC to return a closer referral ticket when a
   cross-realm TGT is requested.  This specification extends this
   behavior when the canonicalize flag is set.  When this flag is set, a
   KDC MAY return a TGT for a realm closer to the service for any
   service as discussed in the previous section.  When a client follows
   such a referral, it includes the realm of the referred-to realm in
   the generated request.

The case-corrected realm in the krbtgt reply could be considered
"a realm closer to the service" and it would be followed instead of
the original one.  That is, when canonicalization is requested.  That
could be used for case correction -- if you agree to what I'm reading
in this text.

So we are back to our choice, and it's arbitrary to me which we choose.

We might still decide on TXT on grounds of
 1. it's been implemented, and informally documented
 2. it completely evades case-dependent problems
 3. it's more efficient (for mixed-case realm names)
 4. the _kerberos prefix bypasses overloading of TXT

Whereas PTR has advantages
 1. More akin to the domain-style names
 2. Initial mapping to all-uppercase works for the majority of cases
 3. Case correction by the KDC works for the few other cases
 4. It offers a future path for case-insensitive realm names in KDCs

Opinions, anyone?  To me it feels that everything that works according to the standards is acceptable to this group now?

Cheers,
 -Rick

v2.23.0 | Report a Bug | By Email