Re: [kitten] I-D Action: draft-ietf-krb-wg-cammac-09.txt
Benjamin Kaduk <kaduk@MIT.EDU> Mon, 08 September 2014 18:28 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A3341A029D for <kitten@ietfa.amsl.com>; Mon, 8 Sep 2014 11:28:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.853
X-Spam-Level:
X-Spam-Status: No, score=-5.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZOS89uXS8Bpa for <kitten@ietfa.amsl.com>; Mon, 8 Sep 2014 11:28:49 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C55121A02A0 for <kitten@ietf.org>; Mon, 8 Sep 2014 11:28:48 -0700 (PDT)
X-AuditID: 1209190c-f795e6d000006c66-5c-540df55f36a0
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 1C.6C.27750.F55FD045; Mon, 8 Sep 2014 14:28:47 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id s88ISkAe023376; Mon, 8 Sep 2014 14:28:47 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s88ISiFg023276 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 8 Sep 2014 14:28:46 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s88ISivs005753; Mon, 8 Sep 2014 14:28:44 -0400 (EDT)
Date: Mon, 08 Sep 2014 14:28:43 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Greg Hudson <ghudson@MIT.EDU>
In-Reply-To: <540DE046.2020709@mit.edu>
Message-ID: <alpine.GSO.1.10.1409081426350.21571@multics.mit.edu>
References: <20140905195755.12365.12570.idtracker@ietfa.amsl.com> <ldvwq9h24e0.fsf@sarnath.mit.edu> <alpine.GSO.1.10.1409081219440.21571@multics.mit.edu> <540DE046.2020709@mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrHIsWRmVeSWpSXmKPExsUixCmqrRv/lTfEYPoyDYujm1exODB6LFny kymAMYrLJiU1J7MstUjfLoErY/GTdqaCfVwVW1efZ2tgnMjRxcjJISFgIjHzZR8LhC0mceHe erYuRi4OIYHZTBLX191hhHA2MErc/t4K5Rxkkpg8aQI7SIuQQL3Ej4VtjCA2i4CWxOq+/2Cj 2ARUJGa+2cgGYosIKEr8XvkWrIYZqObR4qVMILawgKPEgq7/zCA2p4C6RPuSw0A1HBy8QPF1 S5Mhxm9hlDi7UxnEFhXQkVi9fwrYeF4BQYmTM5+wwIxcPn0bywRGwVlIUrOQpBYwMq1ilE3J rdLNTczMKU5N1i1OTszLSy3SNdTLzSzRS00p3cQIDkpJnh2Mbw4qHWIU4GBU4uHluMwTIsSa WFZcmXuIUZKDSUmUd9tH3hAhvqT8lMqMxOKM+KLSnNTiQ4wSHMxKIrxPLwPleFMSK6tSi/Jh UtIcLErivG+trYKFBNITS1KzU1MLUotgsjIcHEoSvKZfgBoFi1LTUyvSMnNKENJMHJwgw3mA hueA1PAWFyTmFmemQ+RPMepyrOv81s8kxJKXn5cqJc47B6RIAKQoozQPbg4smbxiFAd6S5jX GKSKB5iI4Ca9AlrCBLRkUjDYkpJEhJRUA2PKj/UWqvGtcvx+Cz0+n3u+OJu/kvlHbqx7kMo/ ryjhTU4Pru7sUBeRO8PpcahOa06a5MkVJyxe/utkdZCdaHjnZsZ7kTWRdleUpW8y5V9gSFq6 Lmg662fPrdO2rg+wF31wOq92dY0H637elFeRBzhnLl76979dDEePR3KV/ov2SMnvOcv+cSmx FGckGmoxFxUnAgARnKrNAQMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/H2E8sUvqDKTj7uQT7hzruN_emtk
Cc: kitten@ietf.org
Subject: Re: [kitten] I-D Action: draft-ietf-krb-wg-cammac-09.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 18:28:50 -0000
On Mon, 8 Sep 2014, Greg Hudson wrote: > On 09/08/2014 12:29 PM, Benjamin Kaduk wrote: > > Aside from the extra "be" (in "be use") that Simo pointed out on IRC, I am > > still not sure that I understand the last paragraph of the security > > considerations. That is, I don't see how using the S4U2Proxy extension > > and having policy disallow the use of S4U2Proxy would result in similar > > security properties. > > I tihnk the extra "be" is supposed to be "not" or "never". Yes, I think it makes more sense with that substitution. > I suggest changing: > > The KDC MAY create a new CAMMAC from an existing CAMMAC > lacking a kdc-verifier if it is inserting the new CAMMAC into a > service ticket for the same service principal as the ticket that > contained the existing CAMMAC, and if all of the realm's KDCs are > configured to reject S4U2Proxy requests made by that service > principal. > > to instead say, "... as the ticket that contained the existing CAMMAC, > but MUST NOT place a kdc-verifier in the new CAMMAC." This is simpler > to implement. By not putting a kdc-verifier in the new CAMMAC, we don't > risk treating the new CAMMAC contents as definitively KDC-originated for > a subsequent S4U2Proxy request if the policy changes. That seems reasonable to me. -Ben
- [kitten] I-D Action: draft-ietf-krb-wg-cammac-09.… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-krb-wg-cammac… Tom Yu
- Re: [kitten] I-D Action: draft-ietf-krb-wg-cammac… Benjamin Kaduk
- Re: [kitten] I-D Action: draft-ietf-krb-wg-cammac… Greg Hudson
- Re: [kitten] I-D Action: draft-ietf-krb-wg-cammac… Benjamin Kaduk