Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
Nico Williams <nico@cryptonector.com> Wed, 22 February 2023 04:14 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5A43C14CEFA for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 20:14:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4zxRE0nhLFBR for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 20:14:11 -0800 (PST)
Received: from quail.birch.relay.mailchannels.net (quail.birch.relay.mailchannels.net [23.83.209.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96102C14F720 for <kitten@ietf.org>; Tue, 21 Feb 2023 20:14:11 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id C05D81017F5; Wed, 22 Feb 2023 04:14:10 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 51BAD101694; Wed, 22 Feb 2023 04:14:10 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1677039250; a=rsa-sha256; cv=none; b=CKrUE7USLYWcgqbSW/YUTD3GyCS0zdLPDzWVAZ/2XO6+jZyiYh9PZY67V424pNAxDy/Dfh RhgbuifQ34Ob2qxMfvBynyG8CzFFRPcdHdBg/z4UHddNLeJ9MGebmW9eq+eGTEHsYqpdpQ TvYmQpCDgB30Ih6jw78xtfrrfM4vYHpg/f1Txe4VFZIuYOuF3SbxNnp+37akRV7m/I2Dux kRd0tncdGxzo2KrX6p756kU98q/4ypXtq41Tjt9lh3oV2wB2vKQjU+GVCZL8oPv6DoGA6/ FtufxUcyWlMBuI2TC9gRQMwrNrmloF7SMVM6AfhYlFezVdF/qbbxuqpqM7FmPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1677039250; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=xLVJXEpNYrUuVlVlqVoVox0l7cOqM+hqoddEkvM9rP0=; b=v8j9xG8ZUFcYvT6fdct3Kp2LCsHZrSz2b76eH/M4dtglFgRMX1GLNWEOEwrzXcuujeUrt5 lkbGsgi3uBSqyi6akgOugz+Z0F/t+eRMt219/FwmArZzaPtoA3iYirrxb3Y2VbCvebQ05Z NOUvEWR8QfWYdcl6ZywzzLTc6bqnEQBfxjYYHH4x+YMi0b8JYWmTmFGd4OHGQo6qkaFP7Y capp2tK6FngN1DeOXPjcy/bhUN/4eDd69ychuK/wBBhn52CO/KULG8PXUHIQ9Jpkd6BhoY eHblJW3Fy6saSpIYOmUxNsRHTE20dryStZz1I7/oavs5itMQ0y197T5cTPblsw==
ARC-Authentication-Results: i=1; rspamd-5db48964c-tlhbm; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Unite-Tart: 5415b3b400153776_1677039250586_2842070584
X-MC-Loop-Signature: 1677039250586:3203863495
X-MC-Ingress-Time: 1677039250585
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.103.24.101 (trex/6.7.1); Wed, 22 Feb 2023 04:14:10 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PM2pn4B2HzBR; Tue, 21 Feb 2023 20:14:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1677039250; bh=xLVJXEpNYrUuVlVlqVoVox0l7cOqM+hqoddEkvM9rP0=; h=Date:From:To:Cc:Subject:Content-Type; b=SwouBs/VHfxJqmKrXj3DFieIAUgpUhYMCmSbI0LFnmXseeL591o2fCp/NGVfTL5Zt zTksBn0t3RdC38ucG6ch7dPIOfH+eL9np2VC6g2PoKOG2HD8mGbl6k+ODAu+OXhkD/ qgBJyNq79aEtOwDRa/8U9GAiUjfDaJ0GtxbqMTtOK4pZlYYhM5IU/8ltth9WYCnwMD O2NXoO7zf85RRBW+i/yANVqaZ7RnfmELcA76Ww+z6LbeDSiJBCHwl2q0gb9bzcHJzL NGFcYwPVTjMWSif+o8o5m6LJTQm1wD2YOyc8x8SA3m2Fwm16HwY4yrZ3nQitmSZxSy NgU+2fCYrQuOw==
Date: Tue, 21 Feb 2023 22:14:06 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
Cc: Luke Howard Bentata <lukeh@padl.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/WWjumkyhEjMvda@gmail.com>
References: <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com> <Y/Q7hdTOF1HaxQKM@gmail.com> <Y/RFX4XywCAlhCeB@gmail.com> <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com> <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/UMA7xZYpOAWK4N@gmail.com> <MW4PR21MB19700BA2F20F8CC779F72CD39CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/VnjL/IBYXFWkYX@gmail.com> <MW4PR21MB1970EAD9739BFA099B05F4779CAA9@MW4PR21MB1970.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MW4PR21MB1970EAD9739BFA099B05F4779CAA9@MW4PR21MB1970.namprd21.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/JaUuoH6iXog1aGe5KuL1J9ts-kA>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2023 04:14:15 -0000
On Wed, Feb 22, 2023 at 03:07:48AM +0000, Steve Syfuhs (AP) wrote: > True. In the cross-realm krbtgt case we give it an hour I think. I was > always under the impression that we had that coded that way because of > replication delays. Or are you thinking hypothetically if one were to > build this from scratch, today? People I know will be doing one of these trust account password changes soon. It'd be good to know if it's really one hour so we can tune down the krbtgt/${AD_REALM} principals' ticket lifetimes. A then-client of mine did one of these rotations in 2012, and we tuned x-realm krbtgt ticket lifetimes way down ahead of rotating the keys on a Saturday to avoid any downtime. Workable, but expensive in terms of labor. Key rotations should be smooth w/o manual intervension. This is especially important given that because they've not been smooth people don't rotate them, and now you're retiring RC4 and so they have to rotate them. Is there some guidance doc for this somewhere? > GMSA-wise, a ticket will never be encrypted with an out of date key. > It's issued to the N key with the ticket set to expire when the > password is set to roll over. If you're looking to postdate a ticket > (not something I'm keen on folks doing), you could encrypt to N+1 > because all versions of the key are always derivatives of a constant > secret plus a time epoch. TOTP on a grander scale if you will. I feel a bit uncomfortable with non-overlapping key periods. For one thing there's clock skew to think about. For another the ticket lifetimes will not be the same every time a client requests a ticket -- weird! but especially given that they decrease to zero. The window of time for which that could be a problem seems small, but I bet it does cause problems. Maybe you've seen hiccups in your telemetry? I worry that hiccups in apps that retry with a backoff timer might be getting papered over and you're missing hiccups in non-Windows, customer apps. I would prefer that key lifetimes overlap a bit. The Heimdal virtual principal service namespace feature too does time-based key derivation (good to know we're not the only ones thinking of such things!), but it does allow the service to fetch multiple kvnos (all the ones the service could need given configured ticket lifetimes and key epochs and current time), and does not cause ticket lifetimes to be variable. This a friendly suggestion that AD should store at least up to two keys per account (plus a time at which each key was set). Nico --
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Greg Hudson
- [kitten] Windows Intent to revive and implement I… Steve Syfuhs (AP)
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Greg Hudson
- Re: [kitten] Windows Intent to revive and impleme… josh.howlett
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Replacing Kerberos (Re: Windows Intent t… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Ken Hornstein
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Paul Romero
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Luke Howard
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Andrew Bartlett
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Updates to IAKERB (Re: Windows Intent to… Nico Williams
- Re: [kitten] Updates to IAKERB (Re: Windows Inten… Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos D.Rogers
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Watson Ladd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Simo Sorce