Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review
"J. Bruce Fields" <bfields@fieldses.org> Mon, 04 August 2014 16:00 UTC
Return-Path: <bfields@fieldses.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0E9C1A03A1; Mon, 4 Aug 2014 09:00:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MV6G7i8KeGRR; Mon, 4 Aug 2014 09:00:19 -0700 (PDT)
Received: from fieldses.org (fieldses.org [174.143.236.118]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99ADC1A039F; Mon, 4 Aug 2014 09:00:19 -0700 (PDT)
Received: from bfields by fieldses.org with local (Exim 4.76) (envelope-from <bfields@fieldses.org>) id 1XEKgK-0001jk-KM; Mon, 04 Aug 2014 12:00:16 -0400
Date: Mon, 04 Aug 2014 12:00:16 -0400
To: Nico Williams <nico@cryptonector.com>
Message-ID: <20140804160016.GC23341@fieldses.org>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <alpine.GSO.1.10.1407301239260.21571@multics.mit.edu> <20140801055401.GA7409@localhost> <8FD0C272-6FD3-44FE-BD3D-BAB220E0FF13@netapp.com> <20140801221535.GA3579@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20140801221535.GA3579@localhost>
User-Agent: Mutt/1.5.21 (2010-09-15)
From: "J. Bruce Fields" <bfields@fieldses.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/Cw2MpuQqd1apHIjy4TuBLqyOH-E
Cc: "kitten@ietf.org" <kitten@ietf.org>, "Adamson, Andy" <William.Adamson@netapp.com>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2014 16:00:22 -0000
On Fri, Aug 01, 2014 at 05:15:36PM -0500, Nico Williams wrote: > On Fri, Aug 01, 2014 at 08:28:25PM +0000, Adamson, Andy wrote: > > On Aug 1, 2014, at 1:54 AM, Nico Williams <nico@cryptonector.com> wrote: > > > On Thu, Jul 31, 2014 at 06:38:09PM -0400, Benjamin Kaduk wrote: > > >> Hmm, this seems to have gotten rather long. > > > > Well, it’s two pages shorter than draft-williams-rpcsecgssv3-02.txt (!) > > :) > > > >> Multi-principal authentication > > >> > > >> This draft proposes a multi-principal authentication scheme, > > >> restricted to just the case of a privileged client process on a > > > > > > No, not only the case of a privileged client process. > > > > Sure, but for the Multi-principal piece we do say the following which says that the use-case is privileged client process…. > > It was always my intention that traditional (read: multi-user > shared-cache) NFS client implementations would just always use > "multi-principal" contexts when doing any RPCs on a user's behalf. > > That is, addressing the "user can impersonate the server to the client" > problem was always my first and foremost goal with this protocol, though > I didn't always say so explicitly (since at the time the attack was not > well-known, I didn't want to publicize it). Oh, that's really helpful to know. It'd be great if we could get a paragraph into the draft explaining this. (And also the server-to-server copy stuff, and any other example uses.) It's easier to understand with the motivations. --b.
- [kitten] draft-ietf-nfsv4-rpcsec-gssv3: request f… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- [kitten] rpcsec-gssv3 multi-principal authenticat… Benjamin Kaduk
- Re: [kitten] rpcsec-gssv3 multi-principal authent… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] rpcsec-gssv3 multi-principal authent… Adamson, Andy
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
- Re: [kitten] rpcsec-gssv3 multi-principal authent… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Adamson, Andy
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk