Re: [kitten] FW: New Version Notification for draft-ietf-kitten-iakerb-00.txt
Greg Hudson <ghudson@MIT.EDU> Thu, 11 April 2013 20:39 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB6F021E8041 for <kitten@ietfa.amsl.com>; Thu, 11 Apr 2013 13:39:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NkY44050NI4W for <kitten@ietfa.amsl.com>; Thu, 11 Apr 2013 13:39:58 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (DMZ-MAILSEC-SCANNER-2.MIT.EDU [18.9.25.13]) by ietfa.amsl.com (Postfix) with ESMTP id 0E23821E803F for <kitten@ietf.org>; Thu, 11 Apr 2013 13:39:57 -0700 (PDT)
X-AuditID: 1209190d-b7f716d000005557-45-51671f9d4e08
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 72.92.21847.D9F17615; Thu, 11 Apr 2013 16:39:57 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id r3BKduYL006322; Thu, 11 Apr 2013 16:39:56 -0400
Received: from [18.101.8.162] (VPN-18-101-8-162.MIT.EDU [18.101.8.162]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id r3BKdgXK025059 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 11 Apr 2013 16:39:55 -0400
Message-ID: <51671F8E.3050701@mit.edu>
Date: Thu, 11 Apr 2013 16:39:42 -0400
From: Greg Hudson <ghudson@MIT.EDU>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: Jim Schaad <ietf@augustcellars.com>
References: <20130411064110.29519.54840.idtracker@ietfa.amsl.com> <001201ce3695$c13005e0$439011a0$@augustcellars.com> <005301ce36e6$265d9bd0$7318d370$@augustcellars.com>
In-Reply-To: <005301ce36e6$265d9bd0$7318d370$@augustcellars.com>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplleLIzCtJLcpLzFFi42IRYrdT150rnx5osPWfkMXq6d/ZLI5uXsXi wOSxcc50No8lS34yBTBFcdmkpOZklqUW6dslcGXcmdzEWrCTq+L+uT2sDYy7OLoYOTkkBEwk GpY+Z4KwxSQu3FvP1sXIxSEksI9R4sufk6wQzkZGiSVLbzBCOEeYJD4dm8oG0sIroCZxbOIO FhCbRUBV4v6lb+wgNpuAssTBs9/A4qICIRIXn25hhagXlDg58wlYXERAXWLr6ptgq5kFhCUu bN8LViMsECaxuHE+1BkrGSW+nTkJNJSDg1PAQWL+qkiIUyUlFk3rZIHo1ZF41/eAGcKWl9j+ dg7zBEahWUjWzUJSNgtJ2QJG5lWMsim5Vbq5iZk5xanJusXJiXl5qUW6Rnq5mSV6qSmlmxhB oc0pybuD8d1BpUOMAhyMSjy8L4TTA4VYE8uKK3MPMUpyMCmJ8vrJAYX4kvJTKjMSizPii0pz UosPMUpwMCuJ8MbsTQsU4k1JrKxKLcqHSUlzsCiJ815JuekvJJCeWJKanZpakFoEk5Xh4FCS 4J0FMlSwKDU9tSItM6cEIc3EwQkynAdoeBxIDW9xQWJucWY6RP4Uo6KUOG8dSEIAJJFRmgfX C0s9rxjFgV4R5t0AUsUDTFtw3a+ABjMBDTbsTwEZXJKIkJJqYGxsiy8XkrVmXLROvX7HecbS wL1rbV9EnjcNX8QnO3NG6evLvjW7cmeELKwxuN0Z8vat8us7Ahnb5t/0FGvfbSo0b8valwx/ KwymXQhT23RK8Yyu7ezQFY1Z2vJXo1lv7vrxrup7lcwP/hlb5l3qvrrSz/0FCx9bk+j907fv n1ny+qxrLpeG2VclluKMREMt5qLiRADEmCIkGAMAAA==
Cc: kitten@ietf.org
Subject: Re: [kitten] FW: New Version Notification for draft-ietf-kitten-iakerb-00.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2013 20:39:59 -0000
Unfortunately, I have another issue to raise. We implemented IAKERB for MIT krb5 1.9, but due to an oversight, we implemented draft-zhu-ws-kerb-03 instead of draft-ietf-krb-wg-iakerb-02. Looking at the two drafts briefly, it appears that: * Both use the same mech OID, the same IAKERB_PROXY token format, and the same error codes. Both require an authenticator subkey in the AP-REQ. * The two drafts define the "finished" extension slightly differently: - draft-zhu-ws-kerb-03 defines the data type as TBD and a key usage of 42. In MIT krb5 1.9, we used an extension type of 1. - draft-ietf-krb-wg-iakerb-02 refers to draft-zhu-pku2u-09, which uses an extension type of 2 and a key usage of 41. The two drafts use functionally identical ASN.1 sequences, checksum contents, and checksum keys. They use different names for the data type, ASN.1 type name, and ASN.1 sequence field name, but those have no impact on the wire encoding. Because of the differences in data type and key usage, the two drafts are not interoperable. Conceivably an acceptor could allow both versions of the finished extension, but an initiator would have to guess at what the other end can accept. The only other IAKERB implementation I'm aware of is in OSX, which appears to implement draft-ietf-krb-wg-iakerb-02.
- [kitten] FW: New Version Notification for draft-i… Jim Schaad
- Re: [kitten] FW: New Version Notification for dra… Jim Schaad
- Re: [kitten] FW: New Version Notification for dra… Greg Hudson
- Re: [kitten] FW: New Version Notification for dra… Jim Schaad
- Re: [kitten] FW: New Version Notification for dra… Jim Schaad
- Re: [kitten] New Version Notification for draft-i… Luke Howard
- Re: [kitten] FW: New Version Notification for dra… Greg Hudson
- Re: [kitten] New Version Notification for draft-i… Greg Hudson