IETF Logo Mail Archive

Re: [kitten] Options for IAKERB compatibility issue

Love Hörnquist Åstrand <lha@kth.se> Tue, 07 May 2013 18:02 UTC

Return-Path: <lha@kth.se>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D766C21F946C for <kitten@ietfa.amsl.com>; Tue, 7 May 2013 11:02:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.948
X-Spam-Level:
X-Spam-Status: No, score=-1.948 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id huAJVc28he1F for <kitten@ietfa.amsl.com>; Tue, 7 May 2013 11:02:24 -0700 (PDT)
Received: from smtp-3.sys.kth.se (smtp-3.sys.kth.se [IPv6:2001:6b0:1:1300:250:56ff:fea6:2de2]) by ietfa.amsl.com (Postfix) with ESMTP id 6613721F942D for <kitten@ietf.org>; Tue, 7 May 2013 11:02:23 -0700 (PDT)
Received: from mailscan-3.sys.kth.se (mailscan-3.sys.kth.se [130.237.48.170]) by smtp-3.sys.kth.se (Postfix) with ESMTP id 742575B7; Tue, 7 May 2013 20:02:21 +0200 (CEST)
X-Virus-Scanned: by amavisd-new at kth.se
Received: from smtp-3.sys.kth.se ([130.237.48.192]) by mailscan-3.sys.kth.se (mailscan-3.sys.kth.se [130.237.48.170]) (amavisd-new, port 10024) with ESMTP id DZhKou4c5w8E; Tue, 7 May 2013 20:02:17 +0200 (CEST)
X-KTH-Auth: lha [2620:149:4:1b03:d88:9e8b:bf3b:3d46]
X-KTH-mail-from: lha@kth.se
Received: from [IPv6:2620:149:4:1b03:d88:9e8b:bf3b:3d46] (unknown [IPv6:2620:149:4:1b03:d88:9e8b:bf3b:3d46]) by smtp-3.sys.kth.se (Postfix) with ESMTPSA; Tue, 7 May 2013 20:02:10 +0200 (CEST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_F8A21F4B-CAB2-445F-B8DB-36CB24DA0477"
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1750\))
From: Love Hörnquist Åstrand <lha@kth.se>
In-Reply-To: <x7d4neg555c.fsf@equal-rites.mit.edu>
Date: Tue, 07 May 2013 11:02:05 -0700
Message-Id: <4969FAFD-094B-4774-B3B9-9B611FBF821A@kth.se>
References: <x7d4neg555c.fsf@equal-rites.mit.edu>
To: Greg Hudson <ghudson@MIT.EDU>
X-Mailer: Apple Mail (2.1750)
Cc: kitten@ietf.org
Subject: Re: [kitten] Options for IAKERB compatibility issue
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2013 18:02:31 -0000

2 is not an option, its 5 or 1. prefer 1. doubtless after doing interop testing we'll find more issues.

Love


6 maj 2013 kl. 11:34 skrev Greg Hudson <ghudson@MIT.EDU>:

> Here are some options for addressing the superficial incompatibilities
> between MIT's implementation of draft-zhu-ws-kerb and the current
> draft-kitten-ietf-iakerb (see [1] and [2] for details).
> 
> 1. We can ignore the problem.  MIT's implementation won't be compatible
>   with the standard and we won't be able to make it compatible without
>   breaking compatibility with ourselves.
> 
> 2. We can revert to the draft-zhu-ws-kerb superficialities.  This works
>   great for MIT, but presents OSX with the same problem as MIT would
>   have in #1.
> 
> 3. We can make the standard semi-compatible with both implementations:
>   - always generate generic token framing
>   - process framed or unframed messages after the first initiator token
>   - acceptors must process either kind of finished extension
>   - initiators may send either kind of finished extension
>   A standard acceptor would work with MIT and OSX initiators.  A
>   standard initiator can only be compatible with MIT or OSX acceptors
>   (it has to guess which type of finished extension to send), but will
>   always be compatible with a standard acceptor.
> 
> 4. Possibly in addition to #3, we could extend IAKERB-HEADER with a new
>   field that acts as an "I implement the standard" cue.  This option
>   would give MIT a path to generating the pku2u-style of finished
>   extension, but it doesn't create a better compatibility matrix than
>   just requiring acceptors to allow both kinds of finished extension.
> 
> 5. We can define a new mech OID for the standard.  I don't like this
>   option because I don't like proliferating krb5 mech OIDs.  It also
>   means the standard wouldn't interoperate with either OSX's or Apple's
>   implementation.
> 
> [1] http://www.ietf.org/mail-archive/web/kitten/current/msg03919.html
> [2] http://www.ietf.org/mail-archive/web/kitten/current/msg03984.html
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email