Re: [kitten] I-D Action: draft-ietf-kitten-cammac-02.txt
Greg Hudson <ghudson@mit.edu> Tue, 10 March 2015 01:05 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77B591ACEDE for <kitten@ietfa.amsl.com>; Mon, 9 Mar 2015 18:05:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fM4y-2gspo3m for <kitten@ietfa.amsl.com>; Mon, 9 Mar 2015 18:05:07 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 256CC1ACED9 for <kitten@ietf.org>; Mon, 9 Mar 2015 18:05:06 -0700 (PDT)
X-AuditID: 12074422-f79d16d0000024cf-c5-54fe4342c7be
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 22.69.09423.2434EF45; Mon, 9 Mar 2015 21:05:06 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t2A155VW020815 for <kitten@ietf.org>; Mon, 9 Mar 2015 21:05:06 -0400
Received: from [18.101.8.208] (vpn-18-101-8-208.mit.edu [18.101.8.208]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2A154Sq008963 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <kitten@ietf.org>; Mon, 9 Mar 2015 21:05:05 -0400
Message-ID: <54FE4340.4070400@mit.edu>
Date: Mon, 09 Mar 2015 21:05:04 -0400
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: kitten@ietf.org
References: <20150309225924.25360.58204.idtracker@ietfa.amsl.com>
In-Reply-To: <20150309225924.25360.58204.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrEIsWRmVeSWpSXmKPExsUixCmqrOvk/C/EYMtKaYujm1exODB6LFny kymAMYrLJiU1J7MstUjfLoErY+aj+6wFd4QqTq96y9zA+IKvi5GTQ0LAROL7n63MELaYxIV7 69m6GLk4hAQWM0lcvXSOBSQhJHCMUeLI/FyIxE0miU+zr4EleAXUJLr6ZoHZLAKqEh2Xe9lA bDYBZYn1+7eCxUUFwiRmr7vICFEvKHFy5hOwuIiAsMTure/ANgsLOEr86D3ECrHMUWLpk1Ng NZwCThJ9LbvBbGYBPYkd13+xQtjyEs1bZzNPYBSYhWTsLCRls5CULWBkXsUom5JbpZubmJlT nJqsW5ycmJeXWqRrqpebWaKXmlK6iREUlOwuSjsYfx5UOsQowMGoxMPLYPIvRIg1say4MvcQ oyQHk5Iob6kjUIgvKT+lMiOxOCO+qDQntfgQowQHs5IIr4QWUI43JbGyKrUoHyYlzcGiJM67 6QdfiJBAemJJanZqakFqEUxWhoNDSYLX3wmoUbAoNT21Ii0zpwQhzcTBCTKcB2j4GpAa3uKC xNzizHSI/ClGRSlx3jqQhABIIqM0D64XljReMYoDvSLMuwfkbh5gwoHrfgU0mAloMDvzH5DB JYkIKakGxhDmO/9DGaYu8Fg9oVPtmP7i948+6kvenFp9Mq7+5OGNAddC/lRffl2kZ7nM/8Or /TNvfDZOWnHFSengwk18a3ZeMouPfhAVc3pbLevj/vkFt6OjdwoFN0sc3/j3j9qu+sUd3SVL ixYI7fllL3xV942C7e3F+vH7O+X0A7OU8v5qKctukzqzoEyJpTgj0VCLuag4EQAQFTqX9QIA AA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/Fai9V8kK9QoIQkFe17E5ub5sif4>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-cammac-02.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 01:05:09 -0000
On 03/09/2015 06:59 PM, internet-drafts@ietf.org wrote: > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=draft-ietf-kitten-cammac-02 I'm not sure the new wording is quite right. The new draft contains: A KDC SHOULD only make verbatim copies of CAMMAC contents to a new CAMMAC when it has authenticated the CAMMAC as originating from a local realm KDC [...] When a KDC makes verbatim copies of CAMMAC contents to a new CAMMAC without having authenticated the first CAMMAC as originating from a local realm KDC, it SHOULD NOT apply a kdc-verifier to the new CAMMAC. The first recommendation doesn't contain an exception for ticket modification requests, where it is safe to copy a CAMMAC with only an svc-verifier as long as the new CAMMAC also contains only an svc-verifier. The second recommendation is confusing because it seems to apply only to a situation where the KDC is already violating the first SHOULD. One possible exception is when a realm's policy allows a KDC to make a verbatim copy of CAMMAC contents from a cross-realm TGT from designated "fully-trusted" remote realms. The local realm KDC can safely apply a kdc-verifier to a new CAMMAC based on the cross- realm TGT, because the client realm name in the resulting new ticket will be that of the remote realm. The presence of a remote client realm name allows the local realm KDC to identify the originator of the CAMMAC contents as being a remote realm. I agree with the first sentence but not the other two. I don't think the client principal communicates the origin of all CAMMAC assertions. For example, the authorization data in a CAMMAC might assert something like "this client principal is a member of the wheel group," where the client principal is in a foreign realm and "wheel" is in a group namespace applying to the server realm. Such an assertion should hopefully come from, or be explicitly vetted by, the server realm's KDC, not the foreign client realm. The KDC might have a policy which says that the foreign realm is higher-privilege and uses the same group namespace, but that would be a deliberate decision to trust the foreign realm, not a safe decision based on how the resulting CAMMAC will be interpreted. Also, a typo: "KDCM AY" should be "KDC MAY".
- [kitten] I-D Action: draft-ietf-kitten-cammac-02.… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-kitten-cammac… Greg Hudson
- Re: [kitten] I-D Action: draft-ietf-kitten-cammac… Benjamin Kaduk