IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Ken Hornstein <kenh@pobox.com> Sun, 19 February 2023 19:44 UTC

Return-Path: <kenh@pobox.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4F4C14CF0C for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 11:44:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qBr6vReiRZl4 for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 11:43:59 -0800 (PST)
Received: from pb-smtp2.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FA5DC14CEFE for <kitten@ietf.org>; Sun, 19 Feb 2023 11:43:58 -0800 (PST)
Received: from pb-smtp2.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 3E8B0173DDF for <kitten@ietf.org>; Sun, 19 Feb 2023 14:43:55 -0500 (EST) (envelope-from kenh@pobox.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to :subject:in-reply-to:references:mime-version:content-type:date :message-id; s=sasl; bh=44T+hX7WRGL3WdnNUWYLGHsVc6+IUsvv5Sggup8c Uh0=; b=CVH0GBZCVkfN4d7Bulfxy7tIM8Pxl54eZ4ef1bv/Y53urPZtLcY00VKx zXci8+RsohYOBmtH/qe9IQ8U9MtshIKsUIhalA0C/BOdK/ieSd90Wq/jzPQw+Pba XPFsOw6wW5OAySXfBIXtJYu/cvhMhJbTHtK6hKKGZ60/x8RmQSk=
Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 36139173DDE for <kitten@ietf.org>; Sun, 19 Feb 2023 14:43:55 -0500 (EST) (envelope-from kenh@pobox.com)
Received: from pietro.internal (unknown [72.66.57.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id B91A1173DDD for <kitten@ietf.org>; Sun, 19 Feb 2023 14:43:54 -0500 (EST) (envelope-from kenh@pobox.com)
From: Ken Hornstein <kenh@pobox.com>
To: "kitten@ietf.org" <kitten@ietf.org>
In-Reply-To: <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sun, 19 Feb 2023 14:43:54 -0500
X-Pobox-Relay-ID: BE4AEEB2-B08D-11ED-A330-307A8E0A682E-90216062!pb-smtp2.pobox.com
Message-Id: <20230219194355.36139173DDE@pb-smtp2.pobox.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/DkZaX9PwpaWYXNQGXK2u439vdUk>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Feb 2023 19:44:04 -0000

>Just throwing it out here, because I sure would love to make it
>possible (and easier) to use kerberos-backed out on the Web, without
>all the issues that come with multiple-roundtrips, which are what I
>find breaks most of these scenarios (the complexity of the protocol
>itself and the unfamiliarity of any non-password/bearer based auth
>scheme aside).

You know, the frustrating thing to me (as a Kerberos fan) is that
the multiple roundtrips problem isn't a Kerberos problem but more
related to all of the stuff layered on top of Kerberos (GSS, SPNEGO,
etc etc).  I see how we got here, but I always was a bit skeptical of
the value-add of all of those layers in practice.

As an aside ... it seems to me that the a constant of history is that it
is impossible to predict how protocols will evolve (another constant:
the most commonly implemented security protocol will be the least common
denominator).  Maybe eventually we'll all be dismissing Java Web Tokens
and REST APIs as "legacy protocols".  I'm not arguing against something
that works in the modern world, just commenting that it's impossible to
know how things will evolve.

--Ken

v2.23.0 | Report a Bug | By Email