Re: [kitten] [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04

Nathaniel McCallum <npmccallum@redhat.com> Thu, 05 January 2017 20:39 UTC

Return-Path: <nmccallu@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3430B129446 for <kitten@ietfa.amsl.com>; Thu, 5 Jan 2017 12:39:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CCDNMqYfFzmz for <kitten@ietfa.amsl.com>; Thu, 5 Jan 2017 12:39:37 -0800 (PST)
Received: from mail-it0-f54.google.com (mail-it0-f54.google.com [209.85.214.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 691E4129415 for <kitten@ietf.org>; Thu, 5 Jan 2017 12:39:37 -0800 (PST)
Received: by mail-it0-f54.google.com with SMTP id x2so914167itf.1 for <kitten@ietf.org>; Thu, 05 Jan 2017 12:39:37 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Bcya9tiKOzoC4numKkh8Qtikzk4BmNGvNbSS7DFiASc=; b=n4ZVKjY2n4xPnxEfksFg/slCZH7J1Byh31fzoYjklPUGXLZAmESKp/MC/BRM+qT2+P VFE6oTqeKUSbcaC+BCYI6dS2KpOmbxBHKR4Vs7fCBzKprFlXXBBTe843v5HXg7D4N7Kh VotIQgPY4C7kufrvZSoOow1ev3slC5Oa4dMo2LEhKW/csc2YwFcPKiCSjyn0ETMM+xVY RD9rAJiHUXfmnbommKTK/MBxgxCubvqdsVE01vXMV3nNN0/qXudZ25MVshSLOZxkZsp+ 7kZYHymwnQOMLzRD562JM2tpHuEJk8ELrcquE/ipaCRXVa8iOf0ZDCBg3BAINEGXweNN wl/w==
X-Gm-Message-State: AIkVDXLIH0060zGPv2QVs3zU4Q7vj1r6uMc/0rBixiOJJBuRstGV5koa6lDy4j35Lw4dFgmug8okLScLO17Bip/H
X-Received: by 10.36.203.194 with SMTP id u185mr6954747itg.93.1483648776660; Thu, 05 Jan 2017 12:39:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.34.195 with HTTP; Thu, 5 Jan 2017 12:39:36 -0800 (PST)
In-Reply-To: <042f01d26790$e936a5f0$bba3f1d0$@huitema.net>
References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net> <20170103062001.GN8460@kduck.kaduk.org> <00c901d26766$566e9ae0$034bd0a0$@huitema.net> <20170105194728.GU8460@kduck.kaduk.org> <042f01d26790$e936a5f0$bba3f1d0$@huitema.net>
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Thu, 05 Jan 2017 15:39:36 -0500
Message-ID: <CAOASepOE2RHGoZre7g6xswX56AUPZJfPMkksHWt7rwBo6_C-sw@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/OQHtEVNwy1hjS-AGhw-4sOBYkxY>
Cc: secdir <secdir@ietf.org>, draft-ietf-kitten-krb-auth-indicator.all@ietf.org, kitten@ietf.org, IESG <iesg@ietf.org>
Subject: Re: [kitten] [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 20:39:39 -0000

On Thu, Jan 5, 2017 at 3:18 PM, Christian Huitema <huitema@huitema.net> wrote:
> On Thursday, January 5, 2017 11:47 AM, Benjamin Kaduk wrote:
>>
>> Thanks for finding the new document -- I was going to send you a pointer
>> today to confirm that it addressed your concerns, but you beat me to it.
>
> Blame Tero Kivinen. He sent me a reminder this morning.
>
>>> One point, though. The new section 4 states:
>>>
>>>    o  The table in Section 5.2.6 of RFC 4120 [RFC4120] is updated to map
>>>       the ad-type 97 to "DER encoding of AD-AUTHENTICATION-INDICATOR".
>>>
>>> Should that not be "DER encoding of AD-AUTHENTICATION-INDICATOR wrapped
> in a
>>> CAMMAC container"?
>>
>> I don't think so, but will loop in the WG to confirm.
>> The ad-type should indicate what is immediately inside the next encoding
>> layer of the ad-data.  So a Ticket might have an AuthorizationData that
>> contains ad-type 1 (AD-IF-RELEVANT), that itself contains
> AuthorizationData
>> with ad-type 96 (AD-CAMMAC), that in turn contains AuthorizationData with
>> ad-type 97 (AD-AUTHENTICATION-INDICATOR).  So, 97 should appear only at
>> the lowest level, and correspond to ad-data that's just the
>> AD-AUTHENTICATION-INDICATOR itself.
>
> OK, I get that now. It was not entirely obvious from reading the text.
>
> What is supposed to happen if the outside Authorization Data type is set to
> 97 instead of 96? Should that be specified somewhere? The text says:
>
>    Authorization data elements of type AD-AUTHENTICATION-INDICATOR MUST
>    be included in an AD-CAMMAC container so that their contents can be
>    verified as originating from the KDC.
>
> That's a fine constraint for the sender, but what about receivers?

5.  Security Considerations

   ... Application servers MUST validate the AD-CAMMAC container before
   making authorization decisions based on AD-AUTHENTICATION-INDICATOR
   elements.  Application servers MUST NOT make authorization decisions
   based on AD-AUTHENTICATION-INDICATOR elements which appear outside of
   AD-CAMMAC containers. ...