IETF Logo Mail Archive

Re: [kitten] Token Preauth for Kerberos

"Zheng, Kai" <kai.zheng@intel.com> Fri, 13 June 2014 08:08 UTC

Return-Path: <kai.zheng@intel.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 739781A025F for <kitten@ietfa.amsl.com>; Fri, 13 Jun 2014 01:08:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.552
X-Spam-Level:
X-Spam-Status: No, score=-7.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o8xN014wKxcC for <kitten@ietfa.amsl.com>; Fri, 13 Jun 2014 01:08:42 -0700 (PDT)
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by ietfa.amsl.com (Postfix) with ESMTP id 3630D1A02EA for <kitten@ietf.org>; Fri, 13 Jun 2014 01:08:11 -0700 (PDT)
Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga101.jf.intel.com with ESMTP; 13 Jun 2014 01:08:10 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.01,470,1400050800"; d="scan'208";a="556803104"
Received: from fmsmsx104.amr.corp.intel.com ([10.19.9.35]) by orsmga002.jf.intel.com with ESMTP; 13 Jun 2014 01:07:52 -0700
Received: from fmsmsx158.amr.corp.intel.com (10.18.116.75) by FMSMSX104.amr.corp.intel.com (10.19.9.35) with Microsoft SMTP Server (TLS) id 14.3.123.3; Fri, 13 Jun 2014 01:07:52 -0700
Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx158.amr.corp.intel.com (10.18.116.75) with Microsoft SMTP Server (TLS) id 14.3.123.3; Fri, 13 Jun 2014 01:07:52 -0700
Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.210]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.81]) with mapi id 14.03.0123.003; Fri, 13 Jun 2014 16:07:50 +0800
From: "Zheng, Kai" <kai.zheng@intel.com>
To: Nathaniel McCallum <npmccallum@redhat.com>
Thread-Topic: [kitten] Token Preauth for Kerberos
Thread-Index: Ac95oBHY/v5P0th/QSGCBpa/sVINTQK5hzIAAC7IIlAAABX8AABnJeLw
Date: Fri, 13 Jun 2014 08:07:50 +0000
Message-ID: <8D5F7E3237B3ED47B84CF187BB17B666118ED099@SHSMSX103.ccr.corp.intel.com>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com> <5397328E.6020005@mit.edu> <8D5F7E3237B3ED47B84CF187BB17B666118D8E14@SHSMSX103.ccr.corp.intel.com> <1402498324.2955.2.camel@ipa.example.com>
In-Reply-To: <1402498324.2955.2.camel@ipa.example.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.239.127.40]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/OlfueAHWf3NeflQS7XDWb7EdtcM
Cc: "kitten@ietf.org" <kitten@ietf.org>, "Jiang, Weihua" <weihua.jiang@intel.com>, "krbdev@mit.edu" <krbdev@mit.edu>
Subject: Re: [kitten] Token Preauth for Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jun 2014 08:08:46 -0000

Nathaniel,

Yes I like the idea and hopefully token-preauth mechanism can benefit from it. Thanks.

Regards,
Kai

-----Original Message-----
From: Nathaniel McCallum [mailto:npmccallum@redhat.com] 
Sent: Wednesday, June 11, 2014 10:52 PM
To: Zheng, Kai
Cc: Greg Hudson; kitten@ietf.org; krbdev@mit.edu; Jiang, Weihua
Subject: Re: [kitten] Token Preauth for Kerberos

On Wed, 2014-06-11 at 08:15 +0000, Zheng, Kai wrote:
> Hi Greg,
> 
> Thanks for your valuable feedback and suggestions!
> 
> 1. Yes you're right I'm taking the OTP approach and use the FAST armor 
> key as the reply key. As mentioned in the proposal we suggest PKINIT 
> be deployed along with this mechanism, And client uses PKINIT 
> anonymous to obtain the armor ticket. It doesn't provide mutual authentication since only KDC is authenticated to client with the configured certificate of KDC and client doesn't due to lacking of certificate as to avoid the deployment overhead in our solution. So protecting the token here in AS-REQ exchange mainly depends on the FAST tunnel and client should be careful about the armor ticket.

You may be interested in this proposal:
http://mailman.mit.edu/pipermail/krbdev/2014-May/011958.html

Nathaniel

v2.43.4 | Report a Bug | By Email | System Status