Re: [kitten] Replacing Kerberos (Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03)
Nico Williams <nico@cryptonector.com> Mon, 20 February 2023 07:18 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3FE3C1516E3 for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 23:18:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JiVAqYgKcD8Y for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 23:18:26 -0800 (PST)
Received: from aye.elm.relay.mailchannels.net (aye.elm.relay.mailchannels.net [23.83.212.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F440C151553 for <kitten@ietf.org>; Sun, 19 Feb 2023 23:18:26 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 451743E19FB; Mon, 20 Feb 2023 07:18:25 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id CD8A23E1373; Mon, 20 Feb 2023 07:18:24 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1676877504; a=rsa-sha256; cv=none; b=YXdrXji9OJ1Y+OdfL4aLNHRwdttJWrs1c3i0KuMg66KrNGVmShYOKNcD9TuskcUYOAoSgV t9vtxed0kPQrCQTl8AXWVqEoKYtV8iF+nb3AwGBsaGNFoGMTWpePvIJzMRRO3CFGntOm5r gwAEXR0sSwRHR9ZTArn/LoiqMP1jEoY9EWZVfqiUiLX6S0IkNNzq/fLUoGnXW8AiQCRXiJ Bu+E8WqZGlU8CPMtqY18cYeFuZZ0SP4XxNsRbHDXeTDzqUpj9k0cLZBIM0QTOIh0L+rMVM 7huRclZ5UnqiqfDsGcnDEmdvzWYM5SGFJzP3fqfUaToRg1m3+11Jk2+bJWX2vA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1676877504; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=N3OFZ+k3b7mbjl4i5GzaxMrdoJAzRHD+DIbI7ndtHfs=; b=zWeMmQq683QFckCUIogr+i55Ueii9yC+Vxy3nATQKWvqdPQVRoBff+DT3U+NnQukCOTn7z j794kgi96U52mBGbEz4flSNernqs9wUmsT4y/eu2Aj5BRZ82f1Dvyqab2qOo5YnRa6f6HI tCXlxMI9PV+VtMlirnEDf+0m8dczgwZFPZlR+S03CJ1QD9HcSuScg6qdX+G6Y+KqlRBwMx f5KlZbCBbWIIC9SRtBbkmhA5IZFvUeCTuo9ZI9c8feziWAJ+lw+w9ZOc9A14K8AvJJd9HC 4i8AHUeP+A7Dhz1lI52R/NLD/6Qc5xRlCVxKV1QCmrkR4XHuAyQvi73nSNryVg==
ARC-Authentication-Results: i=1; rspamd-9788b98bc-qjg4h; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Thread-Trouble: 5a367d8b719797ea_1676877505093_2351172586
X-MC-Loop-Signature: 1676877505092:736057386
X-MC-Ingress-Time: 1676877505092
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.123.200.110 (trex/6.7.1); Mon, 20 Feb 2023 07:18:25 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PKv0J1DfGz3M; Sun, 19 Feb 2023 23:18:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1676877504; bh=N3OFZ+k3b7mbjl4i5GzaxMrdoJAzRHD+DIbI7ndtHfs=; h=Date:From:To:Cc:Subject:Content-Type:Content-Transfer-Encoding; b=cFQc5LKIxhoCunO2b0tFuqx41H00basBp8kVm2TfeHpersQuzgmh3wCV62k7n7wqZ lyVBRq4+o13bDpld3UY3b1yyagxAuTjjVKA7r2aoLrp4evBBeCggjwa5yLYyndZwVI oRiNiWlY7wmFilN7uIn3HIQJahA/eoaZtbzyoG0u2eezE8oEoRAuatbU39LdQH4621 WD6YYt0EW5wB4gYOI5S1kPuHdWZgT5VH5QaIQ3gBWR4AYWnSDq4Shx5IRJLW44nDQ4 D2crOx7rgwSHcja/pFduFGem4nBE96q+eGicDVoIdjE1PzM9urz7SsHhwCNLRbbfng qmZxybmYmBA9A==
Date: Mon, 20 Feb 2023 01:18:21 -0600
From: Nico Williams <nico@cryptonector.com>
To: Luke Howard <lukeh=40lukehoward.com@dmarc.ietf.org>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/MeveuKvtmb6k0N@gmail.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/GFY3wTO+TBg638@gmail.com> <3E71967A-D192-4439-A8AC-D94BA8FF0631@lukehoward.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <3E71967A-D192-4439-A8AC-D94BA8FF0631@lukehoward.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/Av0fs-Abrw9yU9O8O0k4yI4Pv9Y>
Subject: Re: [kitten] Replacing Kerberos (Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2023 07:18:30 -0000
On Mon, Feb 20, 2023 at 03:33:14PM +1100, Luke Howard wrote: > Ten years ago (!) I implemented (and, with Nico’s help, documented) a > GSS-API/SASL mechanism based on Mozilla’s BrowserID protocol with the > following properties: I had completely forgotten about this until you reminded me a few days ago :/ > JWT-based > ECDH key exchange > Key confirmation / mutual authentication > Fast symmetric key-based re-authentication > 1.5 round trip variant for avoiding a replay cache > Kerberos-style naming > JWT “authorisation data” through RFC6680 naming extensions > RFC4121 message protection services / PRF > Advertisement of server certificates via NegoEx > https://datatracker.ietf.org/doc/html/draft-howard-gss-browserid Looking at draft-howard-gss-browserid-07 I see that while this is based on JWT, the client makes its own tokens using a key certified by the IdP, right? Nowadays I think the primary variation should be where the IdP makes the token (rather than the client) bearing an ECDH public key provided by the client (when it requests the token) and where the IdP can also indicate what the server's ECDH public key is. Though I still also like the draft-howard-gss-browserid-07, it's just that factoring out certificates will make it easier for others to implement. To make things even easier you might submit a new I-D with just a certificate-less variant, and then resubmit the original if there's interest in the certificate-based variant. Nico --
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Greg Hudson
- [kitten] Windows Intent to revive and implement I… Steve Syfuhs (AP)
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Greg Hudson
- Re: [kitten] Windows Intent to revive and impleme… josh.howlett
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Replacing Kerberos (Re: Windows Intent t… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Ken Hornstein
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Paul Romero
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Luke Howard
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Andrew Bartlett
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Updates to IAKERB (Re: Windows Intent to… Nico Williams
- Re: [kitten] Updates to IAKERB (Re: Windows Inten… Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos D.Rogers
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Watson Ladd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Simo Sorce