Re: [kitten] CAMMAC review comments

Peter Mogensen <apm@one.com> Fri, 01 August 2014 07:54 UTC

Return-Path: <apm@one.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D24A1A0467 for <kitten@ietfa.amsl.com>; Fri, 1 Aug 2014 00:54:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dkBGy6v2Dywh for <kitten@ietfa.amsl.com>; Fri, 1 Aug 2014 00:54:28 -0700 (PDT)
Received: from officesmtp2.one.com (officesmtp2.one.com [195.47.247.17]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 501C81A0463 for <kitten@ietf.org>; Fri, 1 Aug 2014 00:54:28 -0700 (PDT)
Received: from [172.16.16.74] (unknown [46.30.211.29]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by officesmtp2.one.com (Postfix) with ESMTPSA id E93D1801173B3 for <kitten@ietf.org>; Fri, 1 Aug 2014 07:54:25 +0000 (UTC)
Message-ID: <53DB47B1.6080204@one.com>
Date: Fri, 01 Aug 2014 09:54:25 +0200
From: Peter Mogensen <apm@one.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: kitten@ietf.org
References: <mailman.11.1406833203.14162.kitten@ietf.org>
In-Reply-To: <mailman.11.1406833203.14162.kitten@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/LUEDDMDNVvBSkyCv7zV5otHSPHY
Subject: Re: [kitten] CAMMAC review comments
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 07:54:33 -0000

On 2014-07-31 21:00, Simo Sorce wrote:
> I think the kdc-verifier could be made optional, though I am not sure
> why anyone would go through the trouble of disabling it using complex
> heuristics to save a few bytes unless the CAMMAC payload is very small.

Referencing our earlier discussion about how to make everything simpler 
and smaller (and why that was not easy withing the framework of RFC4120).

Small CAMMAC payloads will not be rare. If you have a plain ticket 
without authdata and only need to add RFC6806 NT-ENTERPRISE 
capabilities, then protecting AD-LOGIN-ALIAS which can easily be around 
just 10 bytes, will have a checksum around 100 bytes. (*)

Putting a few of those tickets in - say - an HTTP cookie will add 
considerably to the HTTP header size.  (HTTP/2.0 would help a lot then)

I don't think one should underestimate the value of small tickets.

/Peter

*: I know RFC6806 explicitly calls for AD-KDC-ISSUED, but one could 
easily imagine wanting to protect AD-LOGIN-ALIAS through S4U2proxy 
delegation too.