IETF Logo Mail Archive

Re: [kitten] Comments on draft-ietf-krb-wg-camac-08

Jeffrey Hutzelman <jhutz@cmu.edu> Thu, 31 July 2014 20:12 UTC

Return-Path: <jhutz@cmu.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05A771A00C2 for <kitten@ietfa.amsl.com>; Thu, 31 Jul 2014 13:12:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A0ZK1FsPYzF9 for <kitten@ietfa.amsl.com>; Thu, 31 Jul 2014 13:12:49 -0700 (PDT)
Received: from smtp03.srv.cs.cmu.edu (smtp03.srv.cs.cmu.edu [128.2.217.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51D511A0137 for <kitten@ietf.org>; Thu, 31 Jul 2014 13:12:44 -0700 (PDT)
Received: from [192.168.1.115] (50-73-160-70-pennsylvania.hfc.comcastbusiness.net [50.73.160.70]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id s6VKCZI1008428 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 31 Jul 2014 16:12:42 -0400 (EDT)
Message-ID: <1406837555.8950.10.camel@destiny.pc.cs.cmu.edu>
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Date: Thu, 31 Jul 2014 16:12:35 -0400
In-Reply-To: <alpine.GSO.1.10.1407301100190.21571@multics.mit.edu>
References: <tslwqax1mhm.fsf@mit.edu> <53D7DBE2.3010105@mit.edu> <alpine.GSO.1.10.1407292114140.21571@multics.mit.edu> <1406720770.3242.7.camel@willson.usersys.redhat.com> <alpine.GSO.1.10.1407301100190.21571@multics.mit.edu>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.8.4-0ubuntu1
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: mimedefang-cmuscs on 128.2.217.202
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/K5FZY14JOyXgt1lRMu4f_s-reew
Cc: kitten@ietf.org, Simo Sorce <simo@redhat.com>, jhutz@cmu.edu
Subject: Re: [kitten] Comments on draft-ietf-krb-wg-camac-08
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 20:12:52 -0000

On Wed, 2014-07-30 at 11:02 -0400, Benjamin Kaduk wrote:
> On Wed, 30 Jul 2014, Simo Sorce wrote:
> 
> > I thought we concluded that CAMMAC does not need to be wrapped in
> > AD-IF-RELEVANT because it has the same properties by definition and
> > therefore is always non critical as well, but I would not mind
> > specifying it has to be wrapped in AD-IF-RELEVANT for best
> > compatibility.
> 
> I had some memories of coming to this conclusion as well, but don't see 
> anything in the list archive or meeting minutes.  Maybe it was from 
> discussion on one of the krb5 development conference calls.

Well, I'm glad my opinion today is more or less consistent with my
opinion of almost a year ago...

I think we only have two reasonable choices:

1) Accept that implementations don't treat unrecognized auth-data as
   critical and will never be fixed sufficiently well to be depended
upon,
   and give up on ever being able to have critical AD.

2) Attempt to build a protocol suite which, if implemented correctly,
allows
   a KDC or client to place critical constraints on the use of a ticket.

If we choose (1), then we should say so.  New containers such as
AD-CAMMAC should (always) be wrapped in AD-IF-RELEVANT, for
compatibility, and the data they wrap should be considered non-critical,
not as a result of the definition of the new container but because we've
given up on AD ever being critical.

If we choose (2), then being able to have authorization data which is
both critical and authenticated seems fairly important, and having
AD-CAMMAC imply non-criticality of the wrapped elements would prevent
that.  So, it shouldn't do that.  However, it seems reasonable for
AD-IF-RELEVANT(AD-CAMMAC(...)) to indicate that both the AD-CAMMAC and
everything it wraps are non-critical(*).

Regardless of which option we choose, the authorization data contained
within AD-IF-RELEVANT(AD-CAMMAC(...)) is non-critical.  In fact,
regardless of which option we choose, AD-CAMMAC does not affect the
criticality (or lack thereof) of the things it wraps.

So really, this just boils down to whether we are ready to make a
statement that Kerberos doesn't really have critical authorization data
after all.

-- Jeff


(*) Note that this is _not_ the same as AD-IF-RELEVANT implying
non-criticality for everything contained within it down to every depth.
In particular, it is possible to imagine a container which can safely
ignored in its entirety, but for which ignoring individual contained
elements produces the wrong effect.

v2.23.0 | Report a Bug | By Email