IETF Logo Mail Archive

[kitten] Clarification on draft-williams-kitten-krb5-pkcross-02

"Nordgren, Bryce L -FS" <bnordgren@fs.fed.us> Tue, 10 June 2014 02:02 UTC

Return-Path: <bnordgren@fs.fed.us>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC5601A0336 for <kitten@ietfa.amsl.com>; Mon, 9 Jun 2014 19:02:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3liIrJFCeagD for <kitten@ietfa.amsl.com>; Mon, 9 Jun 2014 19:02:44 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0204.outbound.protection.outlook.com [207.46.163.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0ED91A032E for <kitten@ietf.org>; Mon, 9 Jun 2014 19:02:43 -0700 (PDT)
Received: from CO1PR06CA038.namprd06.prod.outlook.com (10.242.160.28) by CO1PR06MB046.namprd06.prod.outlook.com (10.242.162.143) with Microsoft SMTP Server (TLS) id 15.0.954.9; Tue, 10 Jun 2014 02:02:41 +0000
Received: from BN1AFFO11FD031.protection.gbl (2a01:111:f400:7c10::152) by CO1PR06CA038.outlook.office365.com (2a01:111:e400:1014::28) with Microsoft SMTP Server (TLS) id 15.0.954.9 via Frontend Transport; Tue, 10 Jun 2014 02:02:40 +0000
Received: from mail.usda.gov (199.135.140.11) by BN1AFFO11FD031.mail.protection.outlook.com (10.58.52.185) with Microsoft SMTP Server (TLS) id 15.0.959.15 via Frontend Transport; Tue, 10 Jun 2014 02:02:40 +0000
Received: from 001FSN2MPN1-044.001f.mgd2.msft.net ([169.254.4.134]) by 001FSN2MMR1-001.001f.mgd2.msft.net ([199.135.140.11]) with mapi id 14.03.0181.007; Tue, 10 Jun 2014 02:02:39 +0000
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: Clarification on draft-williams-kitten-krb5-pkcross-02
Thread-Index: Ac+ETQ3RExzeDHp9RLadpfuazEFVzQ==
Date: Tue, 10 Jun 2014 02:02:38 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6D4B30@001FSN2MPN1-044.001f.mgd2.msft.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [166.7.27.63]
Content-Type: multipart/alternative; boundary="_000_82E7C9A01FD0764CACDD35D10F5DFB6E6D4B30001FSN2MPN1044001_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:199.135.140.11; CTRY:US; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(438001)(164054003)(199002)(189002)(86146001)(104016001)(76482001)(71186001)(4396001)(85852003)(19300405004)(15202345003)(6806004)(69596002)(16236675004)(97736001)(68736004)(19580395003)(66066001)(80022001)(79102001)(512954002)(77982001)(74662001)(20776003)(84676001)(64706001)(55846006)(99396002)(15843345004)(74502001)(84326002)(86362001)(31966008)(21056001)(92566001)(87936001)(92726001)(2656002)(50986999)(83322001)(81156002)(81342001)(33656002)(54356999)(19625215002)(46102001)(19580405001)(15975445006)(44976005)(74482001)(83072002)(81542001)(80862004)(79686001); DIR:OUT; SFP:; SCL:1; SRVR:CO1PR06MB046; H:mail.usda.gov; FPR:; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: BL:0; ACTION:Default; RISK:Low; SCL:0; SPMLVL:NotSpam; PCL:0; RULEID:
X-Forefront-PRVS: 0238AEEDB0
Received-SPF: Pass (: domain of fs.fed.us designates 199.135.140.11 as permitted sender) receiver=; client-ip=199.135.140.11; helo=mail.usda.gov;
Authentication-Results: spf=pass (sender IP is 199.135.140.11) smtp.mailfrom=bnordgren@fs.fed.us;
X-OriginatorOrg: fs.fed.us
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/LVThZ5fREJaDJSzbXjgWh3076j4
Subject: [kitten] Clarification on draft-williams-kitten-krb5-pkcross-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2014 02:02:47 -0000

Moving this here because it seemed more appropriate.

On the kerberos@mit.edu<mailto:kerberos@mit.edu> list, Nico said:


my idea is to use TGS anyways, but with a PKINIT pre-auth instead of PA-TGS, and with a "cross-realm"
certificate

But in the draft I see that step 4 of the protocol is:


Request a TGT from the destination realm using PKINIT [RFC4556<http://tools.ietf.org/html/rfc4556>]

The draft seems to be saying to me that Step 4 is to initiate an AS exchange with the destination realm using PKINIT. If I understand your comment correctly, the crux of your idea is to have the client initiate a TGS exchange with the destination realm using alternative padata. Can you clarify this situation for me? :)

Thanks,
Bryce






This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

v2.30.2 | Report a Bug | By Email | System Status