Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt
Greg Hudson <ghudson@mit.edu> Wed, 06 April 2016 15:06 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0BD412D66E; Wed, 6 Apr 2016 08:06:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lykr4utxk_p8; Wed, 6 Apr 2016 08:06:07 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61F5512D812; Wed, 6 Apr 2016 08:02:12 -0700 (PDT)
X-AuditID: 1209190f-c8fff70000004b9e-c6-570524f34b50
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id E1.DF.19358.3F425075; Wed, 6 Apr 2016 11:02:11 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u36F2AbI015432; Wed, 6 Apr 2016 11:02:11 -0400
Received: from [18.101.8.140] (vpn-18-101-8-140.mit.edu [18.101.8.140]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u36F28U4016322 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 6 Apr 2016 11:02:09 -0400
To: Benjamin Kaduk <kaduk@mit.edu>, Michiko Short <michikos@microsoft.com>
References: <20160321223215.12211.35084.idtracker@ietfa.amsl.com> <56F0945E.5070804@openfortress.nl> <BLUPR0301MB1953F7DDC9FD35D3139F4F20CD800@BLUPR0301MB1953.namprd03.prod.outlook.com> <56F0EFBD.90800@openfortress.nl> <56F13EEB.70502@mit.edu> <BY1PR03MB1417EBB6878983B57073528CD0800@BY1PR03MB1417.namprd03.prod.outlook.com> <alpine.GSO.1.10.1604061016100.26829@multics.mit.edu>
From: Greg Hudson <ghudson@mit.edu>
X-Enigmail-Draft-Status: N1110
Message-ID: <570524F0.5040103@mit.edu>
Date: Wed, 06 Apr 2016 11:02:08 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <alpine.GSO.1.10.1604061016100.26829@multics.mit.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrLIsWRmVeSWpSXmKPExsUixCmqrPtZhTXc4Pp5OYurqzoYLY5uXsVi 8a+bz4HZY8mSn0werTv+sgcwRXHZpKTmZJalFunbJXBl7Fw5nbngDm/FumfnGBsYe7i7GDk5 JARMJO7fnMzWxcjFISTQxiTx6v9MFpCEkMAGRokrvWoQicNMEp9mbGcESQgLeEvcPNbJ2sXI wSEi4CUx5Uc6RE0Ls0Tf1e2sIA6zQD+jxP8vp8Aa2ASUJdbv38oCsU5Oord7EpjNK6Am8f3Y MSYQm0VARWLGtmZmEFtUIELiydyTjBA1ghInZz4Bq+cUcJI4/mEpmM0soCex4/ovVghbXqJ5 62zmCYyCs5C0zEJSNgtJ2QJG5lWMsim5Vbq5iZk5xanJusXJiXl5qUW6Jnq5mSV6qSmlmxjB oSzJv4NxToP3IUYBDkYlHl4BK5ZwIdbEsuLK3EOMkhxMSqK8nhKs4UJ8SfkplRmJxRnxRaU5 qcWHGCU4mJVEeBkVgHK8KYmVValF+TApaQ4WJXFeRgYGBiGB9MSS1OzU1ILUIpisDAeHkgSv OjBmhQSLUtNTK9Iyc0oQ0kwcnCDDeYCG64HU8BYXJOYWZ6ZD5E8xKkqJ855WBkoIgCQySvPg esGpJpWj5xWjONArwrw6IO08wDQF1/0KaDAT0OB6YSaQwSWJCCmpBkaHo0aFfUWiZhPcdNjb drQbu7sUzdr9eIuBne4Bhr/WlcGMp1bvWsMw3UPsVlY695f1HCHZnTxrGn7f/LK+V/YFZ7Pi f7v/P05//9cgsJH72K5tAd92vbh9WFVd4kRxtwhnnbIxj6zdZNvVh/vmvQi4ypKSrvNq+RI/ rctsx7+/Y+Ky3PzvS5ESS3FGoqEWc1FxIgDB2VblEAMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/CG3GdjyG3n7ymF0OklHQusQWZkg>
Cc: "kitten@ietf.org" <kitten@ietf.org>, "draft-ietf-kitten-pkinit-freshness@ietf.org" <draft-ietf-kitten-pkinit-freshness@ietf.org>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2016 15:06:14 -0000
On 04/06/2016 10:22 AM, Benjamin Kaduk wrote: > Also, I would like to get an explicit confirmation from Greg that this > text is not problematic (in Section 2.4): > > [...] If the freshness token is not valid, the KDC MUST > return a KRB_ERROR [RFC4120] message with the error-code > > KDC_ERR_PREAUTH_EXPIRED [RFC6113]. The e-data field of the error > contains a METHOD-DATA object [RFC4120] which specifies a valid > PA_AS_FRESHNESS padata-value. > > I see an old comment from Greg in the archives that RFC 6113 made no > specification for including METHOD-DATA in a KDC_ERR_PREAUTH_EXPIRED error > packet, but a more recent message indicated general acceptance of the > whole document (with no specific mention of this text). My understanding > is that the concern related to the need to unambiguously specify how to > construct the error packet, since RFC 6113 did not give guideance on this > scenario (whereas RFC 4120 did give guidance for constructing error > packets for KDC_ERR_PREAUTH_FAILED), but the thread is old enough that I > would like another confirmation. My preference remains to send an unadorned KDC_ERR_PREAUTH_EXPIRED and let the client restart from the beginning, just as it would for an expired cookie. The extra round trip is a negligible cost for such an unusual event, and simplicity has value in a protocol as complicated as Kerberos. Seth Moore disagreed with me on the grounds that expired freshness tokens might not be rare; this argument seems far-fetched to me, but I think any further discussion on the point would be hand-waving. That said, I don't believe the text is problematic at this point, because it unambiguously specifies how to construct the error packet.
- [kitten] I-D Action: draft-ietf-kitten-pkinit-fre… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Rick van Rein
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Paul Miller (NT)
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Rick van Rein
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Greg Hudson
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Michiko Short
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Benjamin Kaduk
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Greg Hudson
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Michiko Short