Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
Nico Williams <nico@cryptonector.com> Tue, 21 February 2023 04:15 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C2C2C14F736 for <kitten@ietfa.amsl.com>; Mon, 20 Feb 2023 20:15:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BhqvKiVpT01o for <kitten@ietfa.amsl.com>; Mon, 20 Feb 2023 20:15:32 -0800 (PST)
Received: from bee.birch.relay.mailchannels.net (bee.birch.relay.mailchannels.net [23.83.209.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AAAFC14F6EC for <kitten@ietf.org>; Mon, 20 Feb 2023 20:15:32 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id C09435C13BA; Tue, 21 Feb 2023 04:15:31 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 576A75C14DF; Tue, 21 Feb 2023 04:15:31 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1676952931; a=rsa-sha256; cv=none; b=SDREav5FGEGR6Z8nTzCKQVnEy1f1YNA+19nTPeOb2xfa1dafIG2CTWpkPX/TtOvXqJAGjy gbmQSTnkCrrlFu5+aHJJ6R0RfHgvGwlq5uuJGLuudIMKbA0WzN9tajvLdax1c9sxnSJOds 6xy6JE32soIUJfXHUiLCxMOOB7lgXKiZ8FZtLWsETkxMeEPHes+vak1wu/aiQKdf89LvfM LViGjtfpxFnZtGJwDa2Cy8iQLOSCTrlcIkFsnXUoKqmt84PY7WMU9z+RFzrUkqZAAAO8oE 7e/UHrOVvMhzUoweRaMeglgjykNUEBus7w9eVZl4+17TSwELcbkOOT5cGLeTeQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1676952931; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=FBL0slceO1ohrHQMiyyKETiP78NWlfjSB31L2fSRSNw=; b=aCEHjnDwL3UW/XHtZYSFpaKeki6PApxV09luKfJOfIjj+kH8VlobgWEdzj28GbnbxqbWvO CbEmLcVFniYmcHoPrAyduKoPNFWuAMAt4ftxhNMJup+RYZSU1huP05Fzx/bAyYaHRiaMdx 8dXSdBy/3TXXveDujH9pwad/wJNUPkUms9ZmGGkpeUsgmRmbrFKMDF89koMzNlJY6gzIDh Wt6hUes/ZRyfNidebQqrvdeWFIb2bJC5kK2pE9iRb86h0pxHhXX+6tMcKDP0e286dpUFpP rt1iFZD95FKuk33V3JHGwqXEfoz3m3R9HeZBydYbqTmg6OhkUV2ob/iXt71EZg==
ARC-Authentication-Results: i=1; rspamd-9788b98bc-ztxd5; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Cold-Versed: 724a9c653f619939_1676952931602_2829230390
X-MC-Loop-Signature: 1676952931602:1758914614
X-MC-Ingress-Time: 1676952931601
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.97.48.87 (trex/6.7.1); Tue, 21 Feb 2023 04:15:31 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PLQtp4zT4z3S; Mon, 20 Feb 2023 20:15:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1676952931; bh=FBL0slceO1ohrHQMiyyKETiP78NWlfjSB31L2fSRSNw=; h=Date:From:To:Cc:Subject:Content-Type; b=qJ+gAWqjQP+2EvdrhvAggAUDbhhANpvvptBEevdANhI/Br18ZZU/NbmBkNQmGt4Ig j6MJZrKROZYi6zsZsMnO0XyqfWPyJl7p+wKXdXnjl0QdCwOm33wyRlbSWB6vpIyNf7 6rpvlXgsO8gg1JUlFOTC+IruapfA3CbpHGR9xmLY7UN2Udz6rus2fSXIW9VDIp7a3E Q0VkcbkaBJCUCNv7KKWsScf2SF6LMe4dLsWVolbZ49uldWCpOMoPGl7etMh9xDzVK9 M/5VMVoZK2mokjkOmoIxW4zI/7NeAPGB0Zf7+MMQTNUnCYoBalHL+QfK+CVaAlNshk b/P1aC3vnACSA==
Date: Mon, 20 Feb 2023 22:15:27 -0600
From: Nico Williams <nico@cryptonector.com>
To: Luke Howard Bentata <lukeh@padl.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/RFX4XywCAlhCeB@gmail.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com> <20230219194355.36139173DDE@pb-smtp2.pobox.com> <Y/K2IEhX6c+b05Ye@gmail.com> <Y/QT7BxdTHq0RYTz@gmail.com> <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com> <Y/Q7hdTOF1HaxQKM@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Y/Q7hdTOF1HaxQKM@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ODRVEh2hKypcSgSu-J5Y4ydt27A>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2023 04:15:37 -0000
To be specific, I think we ought to have at least: - a document on what self-service orchestration is, and example authorization policies one might want to use This might be an FYI. And maybe some protocols as well. - a protocol for fetching keytabs and/or rotating service keys This includes documenting the need for fetching keys that are needed to decrypt extant or soon-to-be-extant tickets when a service is clustered and the cluster membership is dynamic. And how the set of kvnos needed depends on the ticket lifetimes and when the current keys were set. And that older keys than that should not be returned. And so on. The point being that a protocol that merely sets new keys on a service principal is not enough. This is very relevant to the virtual service principal namespace feature in Heimdal (which really helps with operation by cutting out the need for synchronization). This feature is really only worthy of an FYI unless we mean to also update the LDAP schema to know about it. Heimdal has had a bunch of features that help with operation and orchestration, with some being candidates for FYIs, some for BCPs, and some for STDs. There's no reason only Heimdal should have them. I'd welcome other implementors to adopt them. Nico --
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Greg Hudson
- [kitten] Windows Intent to revive and implement I… Steve Syfuhs (AP)
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Greg Hudson
- Re: [kitten] Windows Intent to revive and impleme… josh.howlett
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Replacing Kerberos (Re: Windows Intent t… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Ken Hornstein
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Paul Romero
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Luke Howard
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Andrew Bartlett
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Updates to IAKERB (Re: Windows Intent to… Nico Williams
- Re: [kitten] Updates to IAKERB (Re: Windows Inten… Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos D.Rogers
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Watson Ladd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Simo Sorce