IETF Logo Mail Archive

Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-00.txt

Michiko Short <michikos@microsoft.com> Mon, 09 February 2015 21:19 UTC

Return-Path: <michikos@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 316751A894C for <kitten@ietfa.amsl.com>; Mon, 9 Feb 2015 13:19:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gZ3AQ1iXFlmT for <kitten@ietfa.amsl.com>; Mon, 9 Feb 2015 13:19:14 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0761.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::761]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 166271A8900 for <kitten@ietf.org>; Mon, 9 Feb 2015 13:19:01 -0800 (PST)
Received: from BL2PR03MB212.namprd03.prod.outlook.com (10.255.230.151) by BL2PR03MB210.namprd03.prod.outlook.com (10.255.230.144) with Microsoft SMTP Server (TLS) id 15.1.81.12; Mon, 9 Feb 2015 21:18:38 +0000
Received: from BL2PR03MB212.namprd03.prod.outlook.com ([169.254.15.132]) by BL2PR03MB212.namprd03.prod.outlook.com ([169.254.15.132]) with mapi id 15.01.0081.018; Mon, 9 Feb 2015 21:18:38 +0000
From: Michiko Short <michikos@microsoft.com>
To: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: I-D Action: draft-ietf-kitten-pkinit-freshness-00.txt
Thread-Index: AdBBi+Xf81L9FbgETLycsD7GvbRawA==
Date: Mon, 09 Feb 2015 21:18:38 +0000
Message-ID: <BL2PR03MB2125C0B7BFEA7D6E1999896D0270@BL2PR03MB212.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ed31::3]
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB210;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB210;
x-forefront-prvs: 04825EA361
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(77156002)(54356999)(86362001)(19580405001)(19580395003)(87936001)(230783001)(50986999)(2501002)(450100001)(62966003)(92566002)(46102003)(107886001)(2900100001)(2351001)(15975445007)(102836002)(40100003)(110136001)(561944003)(33656002)(2656002)(76576001)(74316001)(99286002)(122556002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR03MB210; H:BL2PR03MB212.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2015 21:18:38.1349 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR03MB210
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/HVusLpYnjESOWjSa3zqwzqCsZzg>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-00.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 21:19:17 -0000

1. Is this padata type needed at all?  

My understanding (confirmed by Sam) is that RFC 4120 extensibility guidelines require that the KDC ensure the clients understand the response. I am open to discussion.

2. If it is needed, does it need to have a different padata type value from PA-AS-FRESHNESS?

I am open to the idea. We can have a single padata-type (PA-AS-FRESHNESS) then specify in requests, the padata-value shall be empty and in responses, the padata-value contains the actual freshness token. What do others think?

3. The draft defines "PA-AS-FRESHNESS-REQUEST ::= NULL".  Is the intent that the client will use a padata-value of 05 00 (an ASN.1 NULL value encoded in DER)?  An empty padata-value would be more traditional and more compact.

Our proposal was ASN.1 NULL object (tag 5). An empty octet string for padata-value works, too.

4. The draft defines "PA-AS-FRESHNESS ::= OCTET STRING".  Is it desirable to wrap the freshness token in a DER OCTET STRING tag, or could we just transmit the value directly within the padata-value?  Of course the value still needs to have type OCTET STRING within the PKAuthenticator.

If we skip the OCTET STRING definition then we need to specify that the padata-value directly is the freshness octet string (i.e., no wrapping in the padata-value OCTET STRING). The PKAuthenticator needs to specify that the freshnessToken component is an OCTET STRING and with a comment that the value shall be as received in padata-value (basically just a copy of the whole DER-encoded padata-value value). The advantage though (besides  being shorter) is that we could now simply claim that the padata-value directly carries a freshness token, when non-empty. Is that what you were thinking?


5. It looks like this mechanism is general enough to be used by other preauthentication mechanisms in the future, if they have similar requirements.  Perhaps the RFC should explicitly call out that possibility.

I thought that as well which is why I pulled the PK out of the naming so that future extensions could use the token and it would not look odd. 


-----Original Message-----

----------------------------------------------------------------------

Message: 1
Date: Sun, 01 Feb 2015 12:37:54 -0500
From: Greg Hudson <ghudson@mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>, kitten@ietf.org
Subject: Re: [kitten] I-D Action:
	draft-ietf-kitten-pkinit-freshness-00.txt
Message-ID: <54CE6472.9050408@mit.edu>
Content-Type: text/plain; charset=windows-1252

I have some questions, mostly related to PA-AS-FRESHNESS-REQUEST:

1. Is this padata type needed at all?  The only benefit I can see is that KDCs can omit PA-AS-FRESHNESS from the PREAUTH_REQUIRED hint list if the client doesn't support it, but that benefit vanishes as more clients support the new feature.

2. If it is needed, does it need to have a different padata type value from PA-AS-FRESHNESS?

3. The draft defines "PA-AS-FRESHNESS-REQUEST ::= NULL".  Is the intent that the client will use a padata-value of 05 00 (an ASN.1 NULL value encoded in DER)?  An empty padata-value would be more traditional and more compact.

4. The draft defines "PA-AS-FRESHNESS ::= OCTET STRING".  Is it desirable to wrap the freshness token in a DER OCTET STRING tag, or could we just transmit the value directly within the padata-value?  Of course the value still needs to have type OCTET STRING within the PKAuthenticator.

5. It looks like this mechanism is general enough to be used by other preauthentication mechanisms in the future, if they have similar requirements.  Perhaps the RFC should explicitly call out that possibility.



------------------------------

Subject: Digest Footer

_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten


------------------------------

End of Kitten Digest, Vol 123, Issue 1
**************************************

v2.23.0 | Report a Bug | By Email