Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-01.txt

Greg Hudson <ghudson@mit.edu> Mon, 04 May 2015 18:35 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A42701ACD41 for <kitten@ietfa.amsl.com>; Mon, 4 May 2015 11:35:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TgGk9LXC4uir for <kitten@ietfa.amsl.com>; Mon, 4 May 2015 11:35:26 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 6E5A91ACD40 for <kitten@ietf.org>; Mon, 4 May 2015 11:35:25 -0700 (PDT)
X-AuditID: 12074422-f79cb6d000000d7b-57-5547bbecf67d
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 44.30.03451.CEBB7455; Mon, 4 May 2015 14:35:24 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t44IZIoL021443; Mon, 4 May 2015 14:35:19 -0400
Received: from [18.101.8.98] (vpn-18-101-8-98.mit.edu [18.101.8.98]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t44IZG2e005435 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 4 May 2015 14:35:17 -0400
Message-ID: <5547BBE4.4000006@mit.edu>
Date: Mon, 04 May 2015 14:35:16 -0400
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Sam Hartman <hartmans-ietf@mit.edu>
References: <20150307024328.31740.75123.idtracker@ietfa.amsl.com> <alpine.GSO.1.10.1503111348200.3953@multics.mit.edu> <alpine.GSO.1.10.1503111405000.3953@multics.mit.edu> <5500AD51.5030902@mit.edu> <alpine.GSO.1.10.1503111725490.3953@multics.mit.edu> <BL2PR03MB2124E0360819B3162C9E48DD0060@BL2PR03MB212.namprd03.prod.outlook.com> <tsl38590yn0.fsf@mit.edu> <BL2PR03MB2127227DDC7941010BC26A6D0070@BL2PR03MB212.namprd03.prod.outlook.com> <550339DA.6000109@mit.edu> <BL2PR03MB21281E5DBF9A38B16C91338D0E90@BL2PR03MB212.namprd03.prod.outlook.com> <alpine.GSO.1.10.1504291620270.22210@multics.mit.edu> <tslbni0y0d2.fsf@mit.edu> <55478C61.2040601@mit.edu> <tsl4mnsuu3i.fsf@mit.edu>
In-Reply-To: <tsl4mnsuu3i.fsf@mit.edu>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphleLIzCtJLcpLzFFi42IRYrdT132z2z3U4P0ZY4uvbQ/YLI5uXsVi 8a+bz4HZY8mSn0werTv+snusnHqaPYA5issmJTUnsyy1SN8ugSuj4ckF9oJ/rBVty56zNzDe Yuli5OSQEDCR+LtxPxuELSZx4d56IJuLQ0hgMZPEqUOT2EESQgIbGCUePnaHsA8wSdxaVAFi 8wqoSfyb/pUVxGYRUJXo33AIzGYTUJZYv38r2AJRgTCJab+fs0LUC0qcnPkELC4ioC6x+hLE fGaBCombnS1MXYwcHMIC3hKv1+hC3LCIVeLMzW+MIDWcQLu2fvkLVa8nseP6L1YIW16ieets 5gmMgrOQrJiFpGwWkrIFjMyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdE31cjNL9FJTSjcxggPa RWkH48+DSocYBTgYlXh4Fda6hQqxJpYVV+YeYpTkYFIS5d2xzj1UiC8pP6UyI7E4I76oNCe1 +BCjBAezkgjvnbVAOd6UxMqq1KJ8mJQ0B4uSOO+mH3whQgLpiSWp2ampBalFMFkZDg4lCd6U XUCNgkWp6akVaZk5JQhpJg5OkOE8QMPPgNTwFhck5hZnpkPkTzHqctyZ8n8RkxBLXn5eqpQ4 7zKQIgGQoozSPLg5sET0ilEc6C1h3hBgWhLiASYxuEmvgJYwAS05UO8CsqQkESEl1cCo3Si3 XOPqlNSEhRz5rBNnBQkYeoazbDR0VVHuWdQTMvnMytf2+6vOJJm+fV0sp9WhXir1Y1GxdaJh z+mKJdm/gg5wyQU+uts5+UDDtClT1tyeo36zvJt34jqFK/+euPLN7z6XaCQx/1To9wlCPCqX t+anM9+8fUJKPiiEc5bmBu2lV6qiTd8psRRnJBpqMRcVJwIAv8ptmx8DAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/Ao6bcekK6xvYHNpxiaF2iLOSbUQ>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Michiko Short <michikos@microsoft.com>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-01.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 18:35:27 -0000

On 05/04/2015 01:32 PM, Sam Hartman wrote:
>     Greg> I think it's a little unfortunate, but if it will make
>     Greg> Microsoft's life easier, an few extra bytes in each AS request
>     Greg> won't break the world.
> 
> Well, it is kind of what RFC 4120 anticipates you'll do whenever you
> introduce a new option.

The freshness token is a padata value in the method-data of a
PREAUTH_REQUIRED error.  To an old client, it looks like like an
unsupported preauth mech or a piece of unrecognized informational
preauth data (which is what it is).  We have never required clients to
indicate support for either of these things.  For instance, RFC 4120
requires KDCs to send ETYPE-INFO2 in method-data even if the request
does not use a new enctype.