IETF Logo Mail Archive

Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review

Nico Williams <nico@cryptonector.com> Mon, 04 August 2014 18:07 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 709501A00D7; Mon, 4 Aug 2014 11:07:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Ywo_xafcRAD; Mon, 4 Aug 2014 11:07:06 -0700 (PDT)
Received: from homiemail-a72.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id D23C01A00DA; Mon, 4 Aug 2014 11:07:04 -0700 (PDT)
Received: from homiemail-a72.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a72.g.dreamhost.com (Postfix) with ESMTP id 8C0C36B007E; Mon, 4 Aug 2014 11:07:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=0dXDsy0Ue272hz 9eg5SL7RwyjdI=; b=ZHXbKQCF6o2UgN2kg3gJLx1IOvt7DXgwnmo0K77SLTSqkT cY/+L9oM/qcUar5VFRXfhrdnDwiHiQJPzqWNoFlpKajJsPaBBEgeCEwXfX3H7gEC yV99YbQBo+xzKDTB6PAAtSLDUdQ00kkFKYZR+B00BcXw0H3hprHy3X/Rg/ENQ=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a72.g.dreamhost.com (Postfix) with ESMTPA id 13ED76B0078; Mon, 4 Aug 2014 11:07:03 -0700 (PDT)
Date: Mon, 04 Aug 2014 13:07:03 -0500
From: Nico Williams <nico@cryptonector.com>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Message-ID: <20140804180702.GQ3579@localhost>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <alpine.GSO.1.10.1407301239260.21571@multics.mit.edu> <20140801224505.GB3579@localhost> <alpine.GSO.1.10.1408030123160.21571@multics.mit.edu> <20140804154746.GE3579@localhost> <alpine.GSO.1.10.1408041314180.21571@multics.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.GSO.1.10.1408041314180.21571@multics.mit.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/GNHj4bwQrjxrGgFX7lPhyfl9wFw
Cc: "kitten@ietf.org" <kitten@ietf.org>, "Adamson, Andy" <William.Adamson@netapp.com>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2014 18:07:07 -0000

On Mon, Aug 04, 2014 at 01:22:22PM -0400, Benjamin Kaduk wrote:
> On Mon, 4 Aug 2014, Nico Williams wrote:
> >Then you're proposing that criticality be described for the other cases
> >where it's provided, correct?  I agree.
> 
> I think so?  I'm not sure I understand exactly what you're saying.
> The main thing I'm saying is that we define a critical bit for all
> types of rgss3_assertion, but do not specify what to set it to for
> one branch of the rgss3_assertion_u union.  That looks like what
> you're saying, too.

The critical bit is already factored out.  We should do the same for the
text.

> >>[...]
> >
> >I'm not sure that we can have a "host without credentials" any more
> >since anonymous PKINIT (and equivalents for other mechanisms[*])
> >suffices for the purpose of protecting the client from the user.
> 
> Many krb5 realms do not have PKINIT enabled on the KDC.

"Meh".  If they don't want PKINIT then they must key their clients.  If
they don't want to key their clients then they must enable anon PKINIT.

(Another possibility is to deploy a different mechanism for the
client<->server contexts.)

For single user systems where the user owns the system there is no need
for client credentials, and anyways, device enrolment can take care of
that.

The point is that clients can be expected to have credentials suitable
for this purpose.  I think this is quite clearly true.

Nico
--

v2.29.0 | Report a Bug | By Email | System Status