IETF Logo Mail Archive

Re: [kitten] PKCROSS and philosophical tangents...

Ken Hornstein <kenh@cmf.nrl.navy.mil> Fri, 31 January 2014 17:50 UTC

Return-Path: <kenh@cmf.nrl.navy.mil>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D09101A05AA for <kitten@ietfa.amsl.com>; Fri, 31 Jan 2014 09:50:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.536
X-Spam-Level:
X-Spam-Status: No, score=-0.536 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RP_MATCHES_RCVD=-0.535] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fag20OS1AcCh for <kitten@ietfa.amsl.com>; Fri, 31 Jan 2014 09:50:38 -0800 (PST)
Received: from hedwig.cmf.nrl.navy.mil (hedwig.cmf.nrl.navy.mil [IPv6:2001:480:23:c::13]) by ietfa.amsl.com (Postfix) with ESMTP id 3808A1A0583 for <kitten@ietf.org>; Fri, 31 Jan 2014 09:50:37 -0800 (PST)
Received: from zoolander.cmf.nrl.navy.mil (zoolander.cmf.nrl.navy.mil [134.207.12.40]) (authenticated bits=56) by hedwig.cmf.nrl.navy.mil (8.14.2/8.14.2) with ESMTP id s0VHoV9a010086 for <kitten@ietf.org>; Fri, 31 Jan 2014 12:50:33 -0500
Message-Id: <201401311750.s0VHoV9a010086@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: "kitten@ietf.org" <kitten@ietf.org>
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E683D80@001FSN2MPN1-046.001f.mgd2.msft.net>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU; bql; {2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s; _d gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK; C*}fMI; Mv(aiO2z~9n.w?@\>kEpSD@*e`
Date: Fri, 31 Jan 2014 12:50:32 -0500
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned: No virus found
X-Scanned-By: MIMEDefang 2.68 on 134.207.12.162
Subject: Re: [kitten] PKCROSS and philosophical tangents...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2014 17:54:36 -0000

>PKCROSS seems to me to be about providing agility while preserving
>accurate identification. It seems that a section on distributed CA
>schemes may be warranted, if only to put the full PKI scheme in
>context. OTOH: Is it worthwhile to allow implementers to provide
>alternative methods of evaluating trust in certificates? Omar, 2009
>gives an overview that I found helpful. I put some references below
>which may be useful for the draft.

I come from a relatively flexible universe where we do a lot of
cross-realm, so I've thought a significant amount of this (also, we
have a lot of users who aren't part of our organization).  Here are
my thoughts:

- I personally am not a fan of the term "agile" in this context, because
  it's too vague (what, exactly, do you mean by that?).
- PKCROSS seems to me to want to give you the ability to do regular old
  Kerberos cross-realm without having to actually set up symmetric
  cross-realm keys ... and I've done that a lot, and I can testify that
  it's a huge pain.  But it's still Kerberos aside from that.
- If you need Kerberos to access your site's resources, then you have two
  choices: either a) do cross-realm with some place they do have a principal
  with, or b) give them a principal on your KDC.  That's all backended by
  tedious paperwork and ACL settings, but I think in terms of actual
  technology that's what your choices are.
- In my experience the TECHNICAL issues are relatively straightforward; it's
  dealing with management that's the challenge.

I looked at the papers you posted; they seem interesting, but if the goal
is to use one of those systems to get a Kerberos TGT ... well, I'd wonder
what the advantage would be compared to one of the existing systems.

--Ken

v2.29.0 | Report a Bug | By Email | System Status