[kitten] Comments on draft-ietf-krb-wg-camac-08

Sam Hartman <hartmans-ietf@mit.edu> Mon, 28 July 2014 16:23 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36BE51A0342 for <kitten@ietfa.amsl.com>; Mon, 28 Jul 2014 09:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HPGKVRo6J5O4 for <kitten@ietfa.amsl.com>; Mon, 28 Jul 2014 09:23:07 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F35261A033B for <kitten@ietf.org>; Mon, 28 Jul 2014 09:23:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id C55DC20162 for <kitten@ietf.org>; Mon, 28 Jul 2014 12:20:06 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eMQ3pWHV03HL for <kitten@ietf.org>; Mon, 28 Jul 2014 12:20:05 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-50-177-27-27.hsd1.ma.comcast.net [50.177.27.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS for <kitten@ietf.org>; Mon, 28 Jul 2014 12:20:05 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id BB118800C0; Mon, 28 Jul 2014 12:23:01 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: kitten@ietf.org
Date: Mon, 28 Jul 2014 12:23:01 -0400
Message-ID: <tslwqax1mhm.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/D_mTgtqETKkxmnV_73nImDE_sV0
Subject: [kitten] Comments on draft-ietf-krb-wg-camac-08
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 16:23:15 -0000

Section 4:
I expect advice on whether this should be contained in ad-if-relevant
and on how an implementation that does understand this element should
process contained elements that it does not understand.

I believe this comment needs to be addressed prior to publication.



Section 5/6:

This document registers a new authorization data container but does not
provide a way to use that container.  Any authorization data designed to
fit within that container would require action from this working group
either to publish a document describing that authorization data or a
document establishing an IANA registry for authorization data.

I think that publishing a new authorization data container without a way
to legitimately use it dis not in the IETF's interest.  Either it won't
get used until we publish some document, in which case we're better off
holding off until that document is published and gaining implementation
experience with both.  Alternatively, it will get used by someone
squatting on a number, which is bad.

My recommendation is that we move the authorization data registry from
Kerberos IANA to section 6 here and remove section 5.
I feel reasonably strongly that publishing this document without either
an IETF consumer or an IANA registry is bad.


Section 7:

We only bind to the encrypted ticket part.  A KDC knows from the MAC
verification that it issued a ticket with the given encrypted part, but
has no confidence from that information what service key it encrypted
that ticket in nor the service name in the outer ticket.

How is a KDC supposed to make sure this authorization container was
issued to the service that claims to have received it.
At one level, you could argue that's a general issue with s4u and
similar.  At another level, we're introducing those mechanisms into the
IETF here, so I think we need to discuss that issue here.
we could either solve it in this document by including the principal
name to which the ticket is issued in something covered by the KDC MAC.
The obvious solution there would be to define an authorization data
element for an interested KDC to include.
Alternatively we could include an octet-string for KDC internal usage
that is covered by the MAC.

If we establish an IANA registry for authorization data types with
expert review or more liberal of a registration policy, then we could
document the issue without providing an explicit solution.