IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Tue, 21 February 2023 03:33 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43E24C1522DD for <kitten@ietfa.amsl.com>; Mon, 20 Feb 2023 19:33:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0VKZX2_7sxv for <kitten@ietfa.amsl.com>; Mon, 20 Feb 2023 19:33:31 -0800 (PST)
Received: from buffalo.birch.relay.mailchannels.net (buffalo.birch.relay.mailchannels.net [23.83.209.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F945C14CEED for <kitten@ietf.org>; Mon, 20 Feb 2023 19:33:30 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 4BEC1640BA1; Tue, 21 Feb 2023 03:33:30 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id CE3BA6413E2; Tue, 21 Feb 2023 03:33:29 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1676950409; a=rsa-sha256; cv=none; b=dqdUQQaQf1CTpNS5qdh/d/PWF+J6z3vdhKTvmhIGAeCua2XY7O8H3JbffaaI1PyoT/jk4D FJ7fxwZI+lV7wBRD5epyu9ofC2ELkzMRu/CaFlLsqpN4GKwuRWqRcVT2tFsbJdYeSeVqSl CCz7eMjLnU0J1UX+PCTglrq1Y4xOVIfykmDRbeUX5gaypf783A8NbMydsFWvuxVAwbeKoA iPQOoX9qEbD3xJSBw3G0iNyACH9bJBstFhKQbbov57tnaueb6nySByKkVZUV+SlYRBAj0Y 8dvrVH2DKb9iqsLFmQ2ZTL6yY/FDQgASeLPjC4t1A7I4zdw15cIYXdZKuzLeqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1676950409; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=/vJ9XXihHTsLVtrekJdvEZJakhVIb4+CmQ2caUTOgw0=; b=nQc4SabS9N+rnIU+ReS49c/UOZmyroITc/K5IIwjrbv5GyZvtI6a/QQEIoegkYPeOLX+Wp ScBEmUjqUBByEdjarSWQK/pdRXdRKu+VeIdDiHpG0B6+PBDO32vx9zcGkSlNttL3JTzKG2 wG+EMbCFl+k6JWS0thNYnQEFmeTMI8NPMvJUXUbfuK/K7ZMrTBRwbiFjnIkIrHNMVqgcx8 YgyfWDR7HBKQ6xQ8qZnOl/xjy1jgwlcQqKY4P10fUIKUgrn6SIPrFmdnVFLZ8S4Lpkb8mr NtJ00+aR6TkLbptsQGGnugFGjMHMvHy7xFowPXnfQROea1SgbgVNWvBuGf6T6g==
ARC-Authentication-Results: i=1; rspamd-5db48964c-dhz6s; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Belong-Shelf: 185458a02e09e9e5_1676950410094_2881156178
X-MC-Loop-Signature: 1676950410094:1781215611
X-MC-Ingress-Time: 1676950410094
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.103.24.101 (trex/6.7.1); Tue, 21 Feb 2023 03:33:30 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PLPyK05BhzQh; Mon, 20 Feb 2023 19:33:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1676950409; bh=/vJ9XXihHTsLVtrekJdvEZJakhVIb4+CmQ2caUTOgw0=; h=Date:From:To:Cc:Subject:Content-Type; b=bTdF0uSCncyXWNhdF7PkVX8UsE9mf3OcU+nH4vK5HoPGhKLs4IyyVoiO1lLXSR65m /iIUvXg/if92YAu5lDBwhpxXTZkBxmmBtVB48PXLz9HaWzha/NolXTr7czDXZqO7lE FsoSGdmM653XgRwLPdttzToLinq7E2VmtIWVXCpu4IdDbDDfzXK1mZhZ1GKZjC2yqB dkrFFUIv8lP9HX2dUMramPYcn99cd8H40fXEA8zk0EeBF2PpoHWnk8sw/IqEfrO+vp DjEqrwxCTEOD9beII9A/7Fn0cYsiwGNeGU1Ncc9ITt6KRF0ehkL05I1XpBAFxHly1N KHhoVJLizCnVg==
Date: Mon, 20 Feb 2023 21:33:25 -0600
From: Nico Williams <nico@cryptonector.com>
To: Luke Howard Bentata <lukeh@padl.com>
Cc: Ken Hornstein <kenh@pobox.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/Q7hdTOF1HaxQKM@gmail.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com> <20230219194355.36139173DDE@pb-smtp2.pobox.com> <Y/K2IEhX6c+b05Ye@gmail.com> <Y/QT7BxdTHq0RYTz@gmail.com> <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/JysRmTEWsSTLtcJ8vz2eYVGFYHI>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2023 03:33:35 -0000

On Tue, Feb 21, 2023 at 11:54:06AM +1100, Luke Howard Bentata wrote:
> > On 21 Feb 2023, at 11:44 am, Nico Williams <nico@cryptonector.com> wrote:
> >> There are good reasons why Kerberos is still around; the shortcomings of
> >> other systems are among them.  But there's been zero work in 30 years on
> >> making Kerberos easy to deploy, orchestrate, and operate.  [...]
> > 
> > Ah, not to give offense to folks like Simo and Roland that have done a
> > lot of work in that space.  I was referring to IETF work.
> 
> Not to mention Microsoft: authorisation data without a separate
> privilege service,* protocol transition, enctype negotiation,
> constrained delegation, AEAD in GSS, IAKERB, PKU2U, reply cache
> avoidance (DCE_STYLE), plus their contributions to anonymity and FAST.

Those don't help with orchestration or operation though.

I didn't say _no_ work happened on Kerberos.

I'm referring to things like RFC 3244 being the only RFC (Informational
at that) for password changes or key changes.  The only other thing we
have in that space is an LDAP schema, but it doesn't necessarily with
AD, right?  And many sites don't use either.

Nico
--

v2.23.0 | Report a Bug | By Email