Re: [kitten] CAMMAC review comments
Peter Mogensen <apm@one.com> Fri, 01 August 2014 07:54 UTC
Return-Path: <apm@one.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D24A1A0467 for <kitten@ietfa.amsl.com>; Fri, 1 Aug 2014 00:54:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dkBGy6v2Dywh for <kitten@ietfa.amsl.com>; Fri, 1 Aug 2014 00:54:28 -0700 (PDT)
Received: from officesmtp2.one.com (officesmtp2.one.com [195.47.247.17]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 501C81A0463 for <kitten@ietf.org>; Fri, 1 Aug 2014 00:54:28 -0700 (PDT)
Received: from [172.16.16.74] (unknown [46.30.211.29]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by officesmtp2.one.com (Postfix) with ESMTPSA id E93D1801173B3 for <kitten@ietf.org>; Fri, 1 Aug 2014 07:54:25 +0000 (UTC)
Message-ID: <53DB47B1.6080204@one.com>
Date: Fri, 01 Aug 2014 09:54:25 +0200
From: Peter Mogensen <apm@one.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: kitten@ietf.org
References: <mailman.11.1406833203.14162.kitten@ietf.org>
In-Reply-To: <mailman.11.1406833203.14162.kitten@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/LUEDDMDNVvBSkyCv7zV5otHSPHY
Subject: Re: [kitten] CAMMAC review comments
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 07:54:33 -0000
On 2014-07-31 21:00, Simo Sorce wrote: > I think the kdc-verifier could be made optional, though I am not sure > why anyone would go through the trouble of disabling it using complex > heuristics to save a few bytes unless the CAMMAC payload is very small. Referencing our earlier discussion about how to make everything simpler and smaller (and why that was not easy withing the framework of RFC4120). Small CAMMAC payloads will not be rare. If you have a plain ticket without authdata and only need to add RFC6806 NT-ENTERPRISE capabilities, then protecting AD-LOGIN-ALIAS which can easily be around just 10 bytes, will have a checksum around 100 bytes. (*) Putting a few of those tickets in - say - an HTTP cookie will add considerably to the HTTP header size. (HTTP/2.0 would help a lot then) I don't think one should underestimate the value of small tickets. /Peter *: I know RFC6806 explicitly calls for AD-KDC-ISSUED, but one could easily imagine wanting to protect AD-LOGIN-ALIAS through S4U2proxy delegation too.
- [kitten] CAMMAC review comments Greg Hudson
- Re: [kitten] CAMMAC review comments Tom Yu
- Re: [kitten] CAMMAC review comments Simo Sorce
- Re: [kitten] CAMMAC review comments Peter Mogensen