Re: [kitten] Comments on draft-ietf-krb-wg-camac-08
Jeffrey Hutzelman <jhutz@cmu.edu> Thu, 31 July 2014 20:12 UTC
Return-Path: <jhutz@cmu.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05A771A00C2 for <kitten@ietfa.amsl.com>; Thu, 31 Jul 2014 13:12:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A0ZK1FsPYzF9 for <kitten@ietfa.amsl.com>; Thu, 31 Jul 2014 13:12:49 -0700 (PDT)
Received: from smtp03.srv.cs.cmu.edu (smtp03.srv.cs.cmu.edu [128.2.217.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51D511A0137 for <kitten@ietf.org>; Thu, 31 Jul 2014 13:12:44 -0700 (PDT)
Received: from [192.168.1.115] (50-73-160-70-pennsylvania.hfc.comcastbusiness.net [50.73.160.70]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id s6VKCZI1008428 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 31 Jul 2014 16:12:42 -0400 (EDT)
Message-ID: <1406837555.8950.10.camel@destiny.pc.cs.cmu.edu>
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Date: Thu, 31 Jul 2014 16:12:35 -0400
In-Reply-To: <alpine.GSO.1.10.1407301100190.21571@multics.mit.edu>
References: <tslwqax1mhm.fsf@mit.edu> <53D7DBE2.3010105@mit.edu> <alpine.GSO.1.10.1407292114140.21571@multics.mit.edu> <1406720770.3242.7.camel@willson.usersys.redhat.com> <alpine.GSO.1.10.1407301100190.21571@multics.mit.edu>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.8.4-0ubuntu1
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: mimedefang-cmuscs on 128.2.217.202
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/K5FZY14JOyXgt1lRMu4f_s-reew
Cc: kitten@ietf.org, Simo Sorce <simo@redhat.com>, jhutz@cmu.edu
Subject: Re: [kitten] Comments on draft-ietf-krb-wg-camac-08
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 20:12:52 -0000
On Wed, 2014-07-30 at 11:02 -0400, Benjamin Kaduk wrote: > On Wed, 30 Jul 2014, Simo Sorce wrote: > > > I thought we concluded that CAMMAC does not need to be wrapped in > > AD-IF-RELEVANT because it has the same properties by definition and > > therefore is always non critical as well, but I would not mind > > specifying it has to be wrapped in AD-IF-RELEVANT for best > > compatibility. > > I had some memories of coming to this conclusion as well, but don't see > anything in the list archive or meeting minutes. Maybe it was from > discussion on one of the krb5 development conference calls. Well, I'm glad my opinion today is more or less consistent with my opinion of almost a year ago... I think we only have two reasonable choices: 1) Accept that implementations don't treat unrecognized auth-data as critical and will never be fixed sufficiently well to be depended upon, and give up on ever being able to have critical AD. 2) Attempt to build a protocol suite which, if implemented correctly, allows a KDC or client to place critical constraints on the use of a ticket. If we choose (1), then we should say so. New containers such as AD-CAMMAC should (always) be wrapped in AD-IF-RELEVANT, for compatibility, and the data they wrap should be considered non-critical, not as a result of the definition of the new container but because we've given up on AD ever being critical. If we choose (2), then being able to have authorization data which is both critical and authenticated seems fairly important, and having AD-CAMMAC imply non-criticality of the wrapped elements would prevent that. So, it shouldn't do that. However, it seems reasonable for AD-IF-RELEVANT(AD-CAMMAC(...)) to indicate that both the AD-CAMMAC and everything it wraps are non-critical(*). Regardless of which option we choose, the authorization data contained within AD-IF-RELEVANT(AD-CAMMAC(...)) is non-critical. In fact, regardless of which option we choose, AD-CAMMAC does not affect the criticality (or lack thereof) of the things it wraps. So really, this just boils down to whether we are ready to make a statement that Kerberos doesn't really have critical authorization data after all. -- Jeff (*) Note that this is _not_ the same as AD-IF-RELEVANT implying non-criticality for everything contained within it down to every depth. In particular, it is possible to imagine a container which can safely ignored in its entirety, but for which ignoring individual contained elements produces the wrong effect.
- [kitten] Comments on draft-ietf-krb-wg-camac-08 Sam Hartman
- Re: [kitten] Comments on draft-ietf-krb-wg-camac-… Greg Hudson
- Re: [kitten] Comments on draft-ietf-krb-wg-camac-… Benjamin Kaduk
- Re: [kitten] Comments on draft-ietf-krb-wg-camac-… Simo Sorce
- Re: [kitten] Comments on draft-ietf-krb-wg-camac-… Benjamin Kaduk
- Re: [kitten] Comments on draft-ietf-krb-wg-camac-… Jeffrey Hutzelman
- Re: [kitten] Comments on draft-ietf-krb-wg-camac-… Nico Williams
- Re: [kitten] Comments on draft-ietf-krb-wg-camac-… Tom Yu
- Re: [kitten] Comments on draft-ietf-krb-wg-camac-… Nico Williams
- Re: [kitten] Comments on draft-ietf-krb-wg-camac-… Sam Hartman
- Re: [kitten] Comments on draft-ietf-krb-wg-camac-… Benjamin Kaduk
- Re: [kitten] Comments on draft-ietf-krb-wg-camac-… Nico Williams
- Re: [kitten] Comments on draft-ietf-krb-wg-camac-… Tom Yu