Re: [kitten] Any Interest in a Key Delivery Service?
Ken Hornstein <kenh@pobox.com> Thu, 14 September 2017 02:02 UTC
Return-Path: <kenh@pobox.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C1441323A3 for <kitten@ietfa.amsl.com>; Wed, 13 Sep 2017 19:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com; domainkeys=pass (1024-bit key) header.from=kenh@pobox.com header.d=pobox.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lOzSzRQ-SlBl for <kitten@ietfa.amsl.com>; Wed, 13 Sep 2017 19:02:33 -0700 (PDT)
Received: from sasl.smtp.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE4311270AB for <kitten@ietf.org>; Wed, 13 Sep 2017 19:02:33 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id CED6FA2792 for <kitten@ietf.org>; Wed, 13 Sep 2017 22:02:32 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to :subject:in-reply-to:references:mime-version:content-type:date :message-id; s=sasl; bh=6lAfTIGQSmr50aV+gzqrxj7RU3U=; b=cTdi5/Mw 7bJh4v4PQqJAWIKexbUX3o+emwdDF7JmXb92YWOFIPeZDBGH/Pqw7FUzY9boG7gA OHvfDSaoK8pnURZRT0rXDIJaQ9a48h7IuJZjMyF9mU6k0HITvaiNmcUX9ZlIczKK eMR2uyaKl46CuKRBQWiYfkpkdt+9N0o6iXc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=from:to:subject :in-reply-to:references:mime-version:content-type:date :message-id; q=dns; s=sasl; b=RpePpznSZaIIuuU0y7o/HH5Rd5v9Ri61Ng 16oRQxuh++lXjzdEHJUAsWwsjo1SdbQFxsiAZWcMLcSlEUSi0AU6XqrJrdRiv4tz lzr+E+PAO5Guml0OYvMFDTT+wa0HfbW3Khm6vbe5nuMqlG5wZ+J5U3bG5xjnEzki l+7kawR90=
Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id C6D85A2791 for <kitten@ietf.org>; Wed, 13 Sep 2017 22:02:32 -0400 (EDT)
Received: from paradise-falls.internal (unknown [96.255.19.39]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id 4EDC2A2790 for <kitten@ietf.org>; Wed, 13 Sep 2017 22:02:32 -0400 (EDT)
From: Ken Hornstein <kenh@pobox.com>
To: kitten@ietf.org
In-Reply-To: <20170914011724.GN96685@kduck.kaduk.org>
References: <2FB98F5F-3981-4EFF-8CFF-FF6B5B3D485C@oxy.edu> <20170913013057.B1BEE8E632@pb-smtp2.pobox.com> <20170914011724.GN96685@kduck.kaduk.org>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 13 Sep 2017 22:02:31 -0400
X-Pobox-Relay-ID: C50AA072-98F0-11E7-8D5C-9D2B0D78B957-90216062!pb-smtp2.pobox.com
Message-Id: <20170914020232.C6D85A2791@pb-smtp2.pobox.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/Aslgp1XSRYNic02Bpkq3NQd8lc0>
Subject: Re: [kitten] Any Interest in a Key Delivery Service?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 02:02:35 -0000
>> >I have run into a couple of cases where I wanted the kdc to provide -- >> >not a service ticket -- but an actual encryption key for some data at >> >rest. (Specifically an encrypted disk or a database.) >> >> It seems like a lot of people use KMIP for that. I think it would make >> sense to be able to use Kerberos to authenticate to KMIP, but in my brief > >I don't know much about KMIP, but it does seem like there is not very >much that would tie such a service to be part of and/or colocated with >a Kerberos KDC. This functionality ought to be providable by a >"generic kerberized service", i.e., something running elsewhere than the >KDC that authenticates via kerberos. Right, that was what I was suggesting. You can find the KMIP specification here: httb:/docs.oasis-open.org/kmip/spec/v1.2/kmip-spec-v1.2.html If you look at section 2.1.2, they have a BRIEF mention of Kerberos where it talks about the Credential structure. But it's not clear to me at first glance if there is a spot in the protocol for an AP-REP, much less a potentially-unlimited series of round trips that you could get via GSSAPI. I only mentioned KMIP because that is a protocol designed to generate, store, and retrieve keys for use in EXACTLY the situation originally mentioned (it is big in the data at rest world). It might be more fruitful to try to adapt KMIP to your needs rather than shoehorn the KDC into that role. --Ken
- [kitten] Any Interest in a Key Delivery Service? Henry B (Hank) Hotz, CISSP
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein
- Re: [kitten] Any Interest in a Key Delivery Servi… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein
- Re: [kitten] Any Interest in a Key Delivery Servi… Benjamin Kaduk
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein
- Re: [kitten] Any Interest in a Key Delivery Servi… Jeffrey Altman
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein