Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt
Greg Hudson <ghudson@mit.edu> Fri, 18 September 2015 15:15 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C31CB1B2DF2 for <kitten@ietfa.amsl.com>; Fri, 18 Sep 2015 08:15:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Kplm4q-1TG4 for <kitten@ietfa.amsl.com>; Fri, 18 Sep 2015 08:15:49 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 894EE1B2DE1 for <kitten@ietf.org>; Fri, 18 Sep 2015 08:15:48 -0700 (PDT)
X-AuditID: 1209190e-f79296d00000051c-1e-55fc2aa32226
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 12.D4.01308.3AA2CF55; Fri, 18 Sep 2015 11:15:47 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t8IFFkio023592; Fri, 18 Sep 2015 11:15:46 -0400
Received: from [18.101.8.182] (vpn-18-101-8-182.mit.edu [18.101.8.182]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t8IFFgX2015006 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 18 Sep 2015 11:15:45 -0400
To: Nico Williams <nico@cryptonector.com>, Rick van Rein <rick@openfortress.nl>
References: <20150915143628.21162.89108.idtracker@ietfa.amsl.com> <55F82DA5.10504@openfortress.nl> <alpine.GSO.1.10.1509172254390.26829@multics.mit.edu> <55FBF0C8.6090904@openfortress.nl> <20150918140247.GB13294@localhost>
From: Greg Hudson <ghudson@mit.edu>
X-Enigmail-Draft-Status: N1110
Message-ID: <55FC2A9E.8050509@mit.edu>
Date: Fri, 18 Sep 2015 11:15:42 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <20150918140247.GB13294@localhost>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprAKsWRmVeSWpSXmKPExsUixCmqrbtY60+owdkGKYujm1exWJy6doTN 4umre2wOzB4vT51j9Fiy5CeTx4Z/TWwBzFFcNimpOZllqUX6dglcGbOfbWEt2CFY8Xf9ebYG xl+8XYycHBICJhKPNz9hh7DFJC7cW8/WxcjFISSwmEni3f3drBDORkaJtbMbmSCcI0wSGxu7 GUFahAWiJE6tOscMYosIREjMXL4TquMJo8S0Z7fYQBLMAuoSR583gdlsAsoS6/dvZYHYJyfR 2z0JzOYVUJP4tug2mM0ioCqxbs9DsHpRoKGnzr5lg6gRlDg58wlYDaeAvsTs7h/sEPP1JHZc /8UKYctLNG+dzTyBUWgWkpZZSMpmISlbwMi8ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdYLzez RC81pXQTIzjgJfl2MH49qHSIUYCDUYmH18Pjd6gQa2JZcWXuIUZJDiYlUd5czT+hQnxJ+SmV GYnFGfFFpTmpxYcYJTiYlUR4194AKudNSaysSi3Kh0lJc7AoifNu+sEXIiSQnliSmp2aWpBa BJOV4eBQkuCdADJUsCg1PbUiLTOnBCHNxMEJMpwHaPhDkBre4oLE3OLMdIj8KUZFKXHeBpCE AEgiozQPrheckFI5tr1iFAd6RZiXDZiehHiAyQyu+xXQYCagwa9if4EMLklESEk1MApnVrvO njabg0Xszefa9TtTtr5y7bLL/9hoNikoy/C299x69cKqJbc6T5vciOyoW2e+N3u7hPJKMS61 9qn1b5+sure9qsL89+bvuzLX19x/eTj0ek3IphdmIhVSE5aq3D/Cd/qIad/ubXkCZZ8eJf+8 pOK7MN7iQunU5tgKn+i/25mfFrxj81NiKc5INNRiLipOBABPFXX5IwMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/CN4j-fZjkKaUgwPCfViGJknnILE>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2015 15:15:50 -0000
On 09/18/2015 10:02 AM, Nico Williams wrote: > I'm very reluctant to agree to that, but I'd agree to saying that a TGS > client should first try the realm as it appears in the PTR RR and then > as up-cased if the first failed. That is a non-starter for me. The case of the realm as it appears in the PTR RR is influenced by the case used in the query; it cannot be treated as canonical. Fallback KDC queries complicate security and performance analysis, and I prefer to avoid them whenever possible. I am provisionally okay with Rick's proposal that the record must either refer to an uppercase realm or a realm with KDCs that can canonicalize the uppercase realm to the correct realm. I am also okay with using TXT. > The only thing that concerns me is how to canonicalize realm names for > name-based authorization. This is the case where an AS client used an > alias realm name and now cannot get authorized to access some resources. I assume that if you use the wrong realm name with an AD KDC, you get back a WRONG_REALM response, and the client tries again with the correct case of the realm. This only works when the client uses the CANONICALIZE flag, which MIT krb5 clients don't do by default, and the WRONG_REALM response isn't authenticated. I am not sure what should change there, but simply issuing a ticket for the non-canonical realm seems out of the question. These DNS records are more likely to be used for service principal names than client principal names anyway. I am not really fond of our aliasing story for service names (I never understood why we chose to lie to clients instead of correcting them), but it does work by default, up until the point where application servers can't reliably use the sname and realm in the Ticket for diagnostic purposes. Rick wrote: > If you guys are happy with this, I will jump back to DNSEXT and propose > it there, and push it forward to get an RRTYPE assigned. Rick, in http://www.ietf.org/mail-archive/web/kitten/current/msg05840.html it seemed like you agreed to use an existing RR type. So I am confused why this draft update still defines a KREALM RR type and why you are talking about getting an assignment.
- [kitten] Fwd: New Version Notification for draft-… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Benjamin Kaduk
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Nico Williams
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson
- Re: [kitten] Fwd: New Version Notification for dr… Viktor Dukhovni
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson