IETF Logo Mail Archive

Re: [kitten] Replacing Kerberos

Erin Shepherd <erin.shepherd@e43.eu> Thu, 23 February 2023 20:20 UTC

Return-Path: <erin.shepherd@e43.eu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E1B0C15170B for <kitten@ietfa.amsl.com>; Thu, 23 Feb 2023 12:20:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=e43.eu header.b="v8iMdS2V"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="qSjr3cvc"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C82Fg4SzuJWA for <kitten@ietfa.amsl.com>; Thu, 23 Feb 2023 12:20:52 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8BBBC1522BD for <kitten@ietf.org>; Thu, 23 Feb 2023 12:20:52 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id B96D2320090D; Thu, 23 Feb 2023 15:20:51 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Thu, 23 Feb 2023 15:20:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=e43.eu; h=cc:cc :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; t=1677183651; x=1677270051; bh=kYb32jyNYU 7rDcpLe3Vaboow9oxi2EQKoz9XOjvwKZI=; b=v8iMdS2Vc2cUpLbCW/Tdel5ut3 VBQkO6RlYsVEkmjxtWoizq/A5E305aw6v8r5Jt2rbUkEYZLCvr2cs5/N7j+FeNfW tMdJ3AuZvJkPmWlPKARWRul5A3tyOnfuXkgCejb//PIIDpAiI5sBKzrpNi0Mwwl2 3iwqkn/oTRI4ayCZB9laQUYhZDXQYAFMen9d0sTYeL2D5rw9rAV7yZR5wXHOQNj0 tOQWQ/4ZezvGznxLxbwjfgau7cIBWCLJxxh60u795ljQZKBWDsQU/wiNne5S8Eyq b3dVfukNNdxsCqdfWMY/wKPWHkCJmSNyPZOeadiTE5NUeKlxox0m5DKM159A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1677183651; x=1677270051; bh=kYb32jyNYU7rDcpLe3Vaboow9oxi 2EQKoz9XOjvwKZI=; b=qSjr3cvcegWvpgpsKtvcOyuiKgAvxRN39PPmiukRhSV4 OJIqYgW3CL6DWj48pg7uD6b5LtBj1CAuNhyNGcsJ/V0OJPYYdeeOfSdoOxgROGPE NU1JAfjsO7zyCSDqGinwuXPV9op2Hi2ei5exuDF2U3U6PMd3Hce3NhdScIQkXp91 slFAbuZ4ECoIuZzZhywfAgtIhyJUAeJzcknfxgZMZ1jh0YYRMSId5oxVgt2Nzwui eHx5TmB8YJv7Wr9C7k2q5uerma4iPw69LmXIKkJuqLALhr/sXTs6ldbBf2IFsjl4 x1vB9ix7rnbQeNEppXSVPMRiDklkaPy1qC8XBpabrw==
X-ME-Sender: <xms:o8r3Y8V2UFwUaudyHgE9SYAtdSmf70s2DXSFsKqj_gg_VnPD4EUeZw> <xme:o8r3YwmsiTTCwTWSrHSYjxxsmBwgb9KWOqGweA81Zd8rlR59y65ZBhnG_bCDNFPap mwQVADdYE632GaWOr8>
X-ME-Received: <xmr:o8r3Ywau2mxlgKVWkuanlM3fdF5BE9oY3imp3i_sIa2NbtIWWfC6kNkWVuIY8o0INCSn2DMRBFB6YLEll8PN>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrudekuddgudeffecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhkfgtggfuffgjvefvfhfosegrtdhmrehhtdejnecuhfhrohhmpefgrhhi nhcuufhhvghphhgvrhguuceovghrihhnrdhshhgvphhhvghrugesvgegfedrvghuqeenuc ggtffrrghtthgvrhhnpeffleetleefvdffhfduudetuddvtefhieevueffffegleelvdef jeeuffeuleehfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpegvrhhinhdrshhhvghphhgvrhgusegvgeefrdgvuh
X-ME-Proxy: <xmx:o8r3Y7Xo4Ldr5iK-Sqjg-U77PnXPir-4d60kiOkiLi6S4-4zeoIXlA> <xmx:o8r3Y2l39RSUmdr0Dp3yV6_QgsKKfOzq7RyfKzZjhfVt7UBmkUlLxw> <xmx:o8r3YwfKfhkobKgVbGmCytg1O941fIRMzoeYGvlVmRfrYFmeD9Q0Lw> <xmx:o8r3Y9tFceN3dy1wR6tvomofBQwABIqZCzCQ5tF0ZKAoUr0fDQutSg>
Feedback-ID: i313944f9:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 23 Feb 2023 15:20:50 -0500 (EST)
From: Erin Shepherd <erin.shepherd@e43.eu>
Message-Id: <134D46FA-1E2A-4DB0-9B8D-6897136972CA@e43.eu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9D769253-A175-472E-B43F-E7E408B5BA8D"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Thu, 23 Feb 2023 21:20:49 +0100
In-Reply-To: <Y/GFY3wTO+TBg638@gmail.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>
To: Nico Williams <nico@cryptonector.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/GFY3wTO+TBg638@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/PR70drjo3QWKbEElmDLMhvE-TWE>
Subject: Re: [kitten] Replacing Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2023 20:20:57 -0000

> On 19 Feb 2023, at 03:11, Nico Williams <nico@cryptonector.com> wrote:
> 
> - the ability to easily create server/acceptor software for it
> 
>   This is a reference to ASN.1/DER _still_ being too much to ask for
>   most developers.
> 
> - the ability to make a GSS/SSP/SA(SL) mechanism, which means:
> 
>    - the ability to exchange keys
>    - some ciphersuite for wrap and MIC tokens
> - the ability to use this mechanism as a TLS 1.3 PSK

How do people feel about the security layer just being raw TLS 1.3 bootstrapped using PSK, or as close to that as possible? (Not quite sure what to do with the GSS MIC functions here, though. Maybe just draw a MAC key from a TLS exporter?)

I say this in part because re-using Kerberos encryption types as other mechs have done makes implementing a new mech outside of Kerberos a gigantic pain in the arse. If we use TLS 1.3 PSKs, you can just use a TLS stack, which you probably already have.

(Maybe we could define this framework style, provide a knob which can be used to turn this on for supporting existing mechs, and update those existing mechs to support it, and then just make it the only option for the new mech)

One other thing I’d like to suggest, since we were just talking about it:

- Builtin-in ability to proxy credential acquisition through the acceptor, IAKerb-style, where the “KDC” authentication is itself just recursively tunnelled GSS-API (so we can do SCRAM or something)

Probably should be optional on both ends, but I think building this in will avoid a bunch of the complications seen with IAKerb.

I suspect we’d end up with multiple ways of getting our TGT equivalent for this system, but maybe that’s not the worst thing in the world (in fact it’s probably just pragmatic)


- Erin

v2.23.0 | Report a Bug | By Email