IETF Logo Mail Archive

Re: [kitten] WGLC on draft-ietf-kitten-pkinit-freshness-01

Benjamin Kaduk <kaduk@MIT.EDU> Sun, 04 October 2015 23:31 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CE0A1B34F7 for <kitten@ietfa.amsl.com>; Sun, 4 Oct 2015 16:31:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dWKng5hSUHNk for <kitten@ietfa.amsl.com>; Sun, 4 Oct 2015 16:31:25 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A84E1B34ED for <kitten@ietf.org>; Sun, 4 Oct 2015 16:31:22 -0700 (PDT)
X-AuditID: 12074423-f793f6d000007fc1-af-5611b6c9a1dd
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 49.65.32705.9C6B1165; Sun, 4 Oct 2015 19:31:21 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t94NVK3e011035; Sun, 4 Oct 2015 19:31:21 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t94NVGOd015473 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 4 Oct 2015 19:31:20 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t94NVF0I014936; Sun, 4 Oct 2015 19:31:15 -0400 (EDT)
Date: Sun, 04 Oct 2015 19:31:15 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Michiko Short <michikos@microsoft.com>
In-Reply-To: <alpine.GSO.1.10.1508161121510.22210@multics.mit.edu>
Message-ID: <alpine.GSO.1.10.1510012326350.26829@multics.mit.edu>
References: <alpine.GSO.1.10.1508161121510.22210@multics.mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFIsWRmVeSWpSXmKPExsUixG6nontym2CYwfQvkhZHN69isfjXzefA 5LFkyU8mj9Ydf9kDmKK4bFJSczLLUov07RK4Mj4/Eyi4K17xuWkWcwPjM+EuRk4OCQETia0t K1khbDGJC/fWs4HYQgKLmSR+bPPtYuQCsjcwSqw99JkVwjnIJPGoaRYLRFW9xO1H59lBbBYB LYlfp98yg9hsAioSM99sBJskAhT/cOE0WD2zgLDE+nMzwGqEBZwlbs88A9bLKeAk0TzhPVgN r4CjxJVJx1gh5jtKfJl9mgnEFhXQkVi9fwpUjaDEyZlPoGZqSSyfvo1lAqPgLCSpWUhSCxiZ VjHKpuRW6eYmZuYUpybrFicn5uWlFuma6eVmluilppRuYgQHqYvyDsY/B5UOMQpwMCrx8B6I FwwTYk0sK67MPcQoycGkJMobqgYU4kvKT6nMSCzOiC8qzUktPsQowcGsJMLLuwwox5uSWFmV WpQPk5LmYFES5930gy9ESCA9sSQ1OzW1ILUIJivDwaEkwbt9K1CjYFFqempFWmZOCUKaiYMT ZDgP0PDJIDW8xQWJucWZ6RD5U4yKUuK8tiAJAZBERmkeXC84iexmUn3FKA70ijBvOkgVDzAB wXW/AhrMBDR4gSEfyOCSRISUVANjw8rAL+zV0Z9aZ9cc9jg0X8luUmO4fN9WI/36mFzT27vP aDVUOdd1l4mLpj/gONrTz65zWM3hqfNZ/fU5YRFRwry1jy4FCpgwCX11ms7a8Pm7f7jj3MUN R1w3/v6c+OofzwWj/UGm4X+/z2ssSmt6cP3/vB9dvof+TcjMW/62V6DvhqI5t6gSS3FGoqEW c1FxIgAdBf3I/QIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/CLpRIBaSyESWe43rPW2mXEvVYws>
Cc: kitten@ietf.org
Subject: Re: [kitten] WGLC on draft-ietf-kitten-pkinit-freshness-01
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Oct 2015 23:31:27 -0000

Hi Michiko,

On Sun, 16 Aug 2015, Benjamin Kaduk wrote:

> This message begins the Working Group Last Call (WGLC) of "Public Key
> Cryptography for Initial Authentication in Kerberos (PKINIT) Freshness
> Extension" <draft-ietf-kitten-pkinit-freshness-01>. The WGLC will last two
> weeks, ending on Sunday, August 30th.  The draft is available at:

Looking over the traffic from the WGLC period, it seems that some
revisions to the document are required.  Going over the list's archive:

Greg noted that there was some ambiguity in section 2.4 regarding the
contents of the KRB-ERROR message in the case when a supplied freshness
token is not valid, in his message at
http://www.ietf.org/mail-archive/web/kitten/current/msg05783.html .

That message also raised the question of using KDC_ERR_PREAUTH_FAILED for
a retriable answer, which does not seem to have been resolved yet.  With
no hat on, I'm inclined to avoid KDC_ERR_PREAUTH_FAILED for retriable
errors.

Greg also made some editorial comments in that same message.

Bryce Nordgren also found an editorial change in
http://www.ietf.org/mail-archive/web/kitten/current/msg05794.html (the
content question in that message seems to have been resolved in subsequent
list traffic).

Bryce also notes in a later message that the document should say that the
implementation-defined validation procedure must actually guarantee
freshness.  Something similar to Greg's explanation in
http://www.ietf.org/mail-archive/web/kitten/current/msg05795.html might be
reasonable, say, in the security considerations.

I also supplied a couple editorial comments in
http://www.ietf.org/mail-archive/web/kitten/current/msg05801.html

jhutz made some (mostly) editorial suggestions in his review,
http://www.ietf.org/mail-archive/web/kitten/current/msg05802.html (some of
the non-editorial comments are mitigated by Greg's follow-up in
http://www.ietf.org/mail-archive/web/kitten/current/msg05803.html )

This question from jhutz's message remains unresolved:
"Do we need to call out that a client MUST use a freshness token it got
during an earlier iteration of the same AS exchange?  So, for example,
it can't change its mind about principal names or KDC options or
requested AD and still expect the freshness token to be valid?"  I don't
think this is a particularly critical issue, so it may suffice to just
note that a KDC implementation MAY bind the freshness token to parameters
in the AS-REQ, so the client implementation should use the freshness token
it got during an earlier iteration of the same AS exchange or be prepared
to handle failures resulting from the KDC validation failure for the
binding to the AS-REQ parameter(s).


Can you please generate a revised I-D addressing these comments (i.e.,
including proposed resolutions to the as-yet-unresolved questions)?
Depending on the scope of the changes, another WGLC may be needed; if the
changes are minor and uncontroversial, we might be able to skip it.

Thanks,

Ben

v2.23.0 | Report a Bug | By Email