Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt
Rick van Rein <rick@openfortress.nl> Tue, 22 September 2015 11:09 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3749C1A1BE6 for <kitten@ietfa.amsl.com>; Tue, 22 Sep 2015 04:09:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.201
X-Spam-Level:
X-Spam-Status: No, score=-1.201 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQew-Jzlh2au for <kitten@ietfa.amsl.com>; Tue, 22 Sep 2015 04:09:43 -0700 (PDT)
Received: from lb1-smtp-cloud3.xs4all.net (lb1-smtp-cloud3.xs4all.net [194.109.24.22]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 566931A1BDD for <kitten@ietf.org>; Tue, 22 Sep 2015 04:09:42 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud3.xs4all.net with ESMTP id LB9f1r00f10HQrX01B9gP7; Tue, 22 Sep 2015 13:09:41 +0200
Message-ID: <560136F2.3010509@openfortress.nl>
Date: Tue, 22 Sep 2015 13:09:38 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: kitten@ietf.org
References: <20150915143628.21162.89108.idtracker@ietfa.amsl.com> <55F82DA5.10504@openfortress.nl> <alpine.GSO.1.10.1509172254390.26829@multics.mit.edu> <55FBF0C8.6090904@openfortress.nl> <20150918140247.GB13294@localhost> <20150918153219.GP21942@mournblade.imrryr.org> <55FC4A37.9020305@openfortress.nl> <55FD5F8B.8050807@openfortress.nl> <55FD8806.5070909@mit.edu>
In-Reply-To: <55FD8806.5070909@mit.edu>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/OcGljML3bMRY3yogAsxLKz5MYCc>
Subject: Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2015 11:09:46 -0000
Hi Greg, > This reasoning isn't correct. There are two scenarios: > > 1. The client can't determine the service realm name with confidence (it > doesn't implement PTR lookups, or can't do secure DNS resolution because > of a restrictive network element, or whatever). In this case, it asks > its local KDC for a service ticket (making a TGS query to > serviceprinc@LOCALREALM) with no conception of what the target realm > should be. The KDC can issue an RFC 6806 referral to whatever realm it > wants. Case correction doesn't even enter the picture from the Kerberos > protocol perspective, since the client has no realm name to correct. Agreed. In this case we cannot speak of case correction because the KDC may be the party that does the PTR lookups with confidence. I was not describing this case (and may have been unclear about that). > 2. The client does determine the service realm name with confidence, but > with the wrong case. In this case its asks its KDC for > krbtgt/wrong-case-realm@LOCALREALM, and RFC 6806 does not apply. Ah. My reasoning was that it would ask directly for imap/imap.example.com@WRONG-CASE-REALM and that RFC 6806 would then be applied. I've seen such guessing, presumably under the hoping that the KDC will know how to link the client to the requested service; I've seen this behaviour on Mac OS X, which uses Heimdal. I haven't checked if MIT krb5 does this too. > RFC 4120 section 9 allows the local realm KDC to issue a > krbtgt/right-case-realm@LOCALREALM ticket as a "closer TGT", but a > current client will not take that as a case correction; instead, it will > stubbornly ask right-case-realm for a krbtgt/wrong-case-realm Ticket. You mean because it sees wrong-case-realm as different from right-case-realm and thinks it hasn't reached its destination, right? The client however, "knows" that the case might be off, because it went through the (new) activity of pursuing a PTR RR. That means that it might also handle the case differently. Conceptually, I am thinking of the client as interpreting the PTR as a set of possible realms to ask for, with all the case variations included. In theory it might try each in turn, but in practice it is more efficient to interpret the response as saying "but we have a direct route for another option you're considering". What this means in practice is that the client who does PTR lookups can cut short the iteration over many cases by requesting a standardised version from the set and treating the response as a case correction. And it is the newly introduced PTR behaviour that would make all the difference -- because PTR cannot provide reliable character case. > We can certainly require that clients which implement PTR realm lookup > also treat krbtgt/case-variant-realm replies as case corrections rather > than referrals. But that needs to be treated as a protocol extension > and an update to RFC 4120. In MIT krb5 there are some API and caching > considerations for this new client behavior, though they may be manageable. Do you agree that the conceptual model and inefficient theoretic implementation is in line with what RFC 4120 prescribes, and that the case-correction is merely a more efficient manner of getting to the right answer? (That would need some explaining in the I-D of course.) Cheers, -Rick
- [kitten] Fwd: New Version Notification for draft-… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Benjamin Kaduk
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Nico Williams
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson
- Re: [kitten] Fwd: New Version Notification for dr… Viktor Dukhovni
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson