IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Tue, 21 February 2023 04:15 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C2C2C14F736 for <kitten@ietfa.amsl.com>; Mon, 20 Feb 2023 20:15:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BhqvKiVpT01o for <kitten@ietfa.amsl.com>; Mon, 20 Feb 2023 20:15:32 -0800 (PST)
Received: from bee.birch.relay.mailchannels.net (bee.birch.relay.mailchannels.net [23.83.209.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AAAFC14F6EC for <kitten@ietf.org>; Mon, 20 Feb 2023 20:15:32 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id C09435C13BA; Tue, 21 Feb 2023 04:15:31 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 576A75C14DF; Tue, 21 Feb 2023 04:15:31 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1676952931; a=rsa-sha256; cv=none; b=SDREav5FGEGR6Z8nTzCKQVnEy1f1YNA+19nTPeOb2xfa1dafIG2CTWpkPX/TtOvXqJAGjy gbmQSTnkCrrlFu5+aHJJ6R0RfHgvGwlq5uuJGLuudIMKbA0WzN9tajvLdax1c9sxnSJOds 6xy6JE32soIUJfXHUiLCxMOOB7lgXKiZ8FZtLWsETkxMeEPHes+vak1wu/aiQKdf89LvfM LViGjtfpxFnZtGJwDa2Cy8iQLOSCTrlcIkFsnXUoKqmt84PY7WMU9z+RFzrUkqZAAAO8oE 7e/UHrOVvMhzUoweRaMeglgjykNUEBus7w9eVZl4+17TSwELcbkOOT5cGLeTeQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1676952931; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=FBL0slceO1ohrHQMiyyKETiP78NWlfjSB31L2fSRSNw=; b=aCEHjnDwL3UW/XHtZYSFpaKeki6PApxV09luKfJOfIjj+kH8VlobgWEdzj28GbnbxqbWvO CbEmLcVFniYmcHoPrAyduKoPNFWuAMAt4ftxhNMJup+RYZSU1huP05Fzx/bAyYaHRiaMdx 8dXSdBy/3TXXveDujH9pwad/wJNUPkUms9ZmGGkpeUsgmRmbrFKMDF89koMzNlJY6gzIDh Wt6hUes/ZRyfNidebQqrvdeWFIb2bJC5kK2pE9iRb86h0pxHhXX+6tMcKDP0e286dpUFpP rt1iFZD95FKuk33V3JHGwqXEfoz3m3R9HeZBydYbqTmg6OhkUV2ob/iXt71EZg==
ARC-Authentication-Results: i=1; rspamd-9788b98bc-ztxd5; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Cold-Versed: 724a9c653f619939_1676952931602_2829230390
X-MC-Loop-Signature: 1676952931602:1758914614
X-MC-Ingress-Time: 1676952931601
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.97.48.87 (trex/6.7.1); Tue, 21 Feb 2023 04:15:31 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PLQtp4zT4z3S; Mon, 20 Feb 2023 20:15:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1676952931; bh=FBL0slceO1ohrHQMiyyKETiP78NWlfjSB31L2fSRSNw=; h=Date:From:To:Cc:Subject:Content-Type; b=qJ+gAWqjQP+2EvdrhvAggAUDbhhANpvvptBEevdANhI/Br18ZZU/NbmBkNQmGt4Ig j6MJZrKROZYi6zsZsMnO0XyqfWPyJl7p+wKXdXnjl0QdCwOm33wyRlbSWB6vpIyNf7 6rpvlXgsO8gg1JUlFOTC+IruapfA3CbpHGR9xmLY7UN2Udz6rus2fSXIW9VDIp7a3E Q0VkcbkaBJCUCNv7KKWsScf2SF6LMe4dLsWVolbZ49uldWCpOMoPGl7etMh9xDzVK9 M/5VMVoZK2mokjkOmoIxW4zI/7NeAPGB0Zf7+MMQTNUnCYoBalHL+QfK+CVaAlNshk b/P1aC3vnACSA==
Date: Mon, 20 Feb 2023 22:15:27 -0600
From: Nico Williams <nico@cryptonector.com>
To: Luke Howard Bentata <lukeh@padl.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/RFX4XywCAlhCeB@gmail.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com> <20230219194355.36139173DDE@pb-smtp2.pobox.com> <Y/K2IEhX6c+b05Ye@gmail.com> <Y/QT7BxdTHq0RYTz@gmail.com> <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com> <Y/Q7hdTOF1HaxQKM@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Y/Q7hdTOF1HaxQKM@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ODRVEh2hKypcSgSu-J5Y4ydt27A>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2023 04:15:37 -0000

To be specific, I think we ought to have at least:

 - a document on what self-service orchestration is, and example
   authorization policies one might want to use

   This might be an FYI.

   And maybe some protocols as well.

 - a protocol for fetching keytabs and/or rotating service keys

   This includes documenting the need for fetching keys that are needed
   to decrypt extant or soon-to-be-extant tickets when a service is
   clustered and the cluster membership is dynamic.  And how the set of
   kvnos needed depends on the ticket lifetimes and when the current
   keys were set.  And that older keys than that should not be returned.

   And so on.

   The point being that a protocol that merely sets new keys on a
   service principal is not enough.

   This is very relevant to the virtual service principal namespace
   feature in Heimdal (which really helps with operation by cutting out
   the need for synchronization).  This feature is really only worthy of
   an FYI unless we mean to also update the LDAP schema to know about
   it.

Heimdal has had a bunch of features that help with operation and
orchestration, with some being candidates for FYIs, some for BCPs, and
some for STDs.  There's no reason only Heimdal should have them.  I'd
welcome other implementors to adopt them.

Nico
--

v2.23.0 | Report a Bug | By Email