[kitten] Roman Danyliw's No Objection on draft-ietf-kitten-krb-spake-preauth-11: (with COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Wed, 17 January 2024 23:05 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: kitten@ietf.org
Delivered-To: kitten@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 380DAC14F6BE; Wed, 17 Jan 2024 15:05:56 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-kitten-krb-spake-preauth@ietf.org, kitten-chairs@ietf.org, kitten@ietf.org, Nicolas Williams <nico@cryptonector.com>, nico@cryptonector.com
X-Test-IDTracker: no
X-IETF-IDTracker: 12.2.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <170553275621.31201.4818856239789345318@ietfa.amsl.com>
Date: Wed, 17 Jan 2024 15:05:56 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/Dk36fxAKwwTFv1f0ODDCohC9jjk>
Subject: [kitten] Roman Danyliw's No Objection on draft-ietf-kitten-krb-spake-preauth-11: (with COMMENT)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2024 23:05:56 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-kitten-krb-spake-preauth-11: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-kitten-krb-spake-preauth/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ** On a process note, I observe that: -- the IETF LC on this document occurred 3.5 years ago (May 2020). Is there confidence on the consensus? -- the Shepherd Report from January 2019 is wrong about IPR: there was an IPR claim filed in Jun 2020. -- the Shepherd Report comments about referencing draft-irtf-cfrg-spake2-06. That was published as RFC9382 in September 2023. ** Section 2 This mechanism uses a derivation similar to the second algorithm (SPAKE2) with differences in detail. What does “differences in detail” mean? ** Section 2. [SPAKE] needs to be a normative reference. Likewise, as John Scudder mentioned, please improve the current reference text with a DOI pointer. ** Section 4.1. Per the SECDIR review discussion: ==[ snip ]== > Upon receipt of this AS-REQ, a KDC which > requires pre-authentication and supports SPAKE SHOULD reply with a > KDC_ERR_PREAUTH_REQUIRED error, with METHOD-DATA containing an empty > PA-SPAKE PA-DATA element > > SHOULD? Why might it not? What happens if it doesn’t? (So, why isn’t it > MUST, and how can an implementor decide whether it’s OK not to?) A principal might be configured to require specific pre-authentication mechanisms. Or a principal might have no associated long-term keys, in which case only preauth mechanisms like PKINIT or FAST OTP (which do not use long-term keys) can be offered. ==[ snip ]== Consider adding some version of this explanation to the text. I also initially have the same question. ** Section 12.1.1 Reference: URI or otherwise unique identifier for where the details of this algorithm can be found. It should be as specific as reasonably possible. Why is the Reference for "Kerberos Second Factor Types" defined as above but the “Kerberos SPAKE Groups” registry defines references (e.g., Specification, Serialization, etc) to as a “Reference to the definition ...). Aren’t all of these entries some version of “Specification Required”? ** Appendix B. Python needs a normative reference.
- [kitten] Roman Danyliw's No Objection on draft-ie… Roman Danyliw via Datatracker
- Re: [kitten] Roman Danyliw's No Objection on draf… Greg Hudson