IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Tue, 21 February 2023 21:38 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B38CC1782D8 for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 13:38:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pRUhTIZYuX-j for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 13:38:27 -0800 (PST)
Received: from dragonfly.birch.relay.mailchannels.net (dragonfly.birch.relay.mailchannels.net [23.83.209.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4FCAC1782D5 for <kitten@ietf.org>; Tue, 21 Feb 2023 13:38:26 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id CA1454127A; Tue, 21 Feb 2023 21:38:25 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 4FB0241149; Tue, 21 Feb 2023 21:38:25 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1677015505; a=rsa-sha256; cv=none; b=oRUpyygeYLKkLsZNZksFDAuCja82BeRKi5PX1UNN4VEsD6L86Mxysf+hWYx1b6qDxiMPRY +IVxDKJSH+hfsqHnjoaZQI95Z6Z1PqCOKDoa1oz33uAJd757sfqcDkbLAm+w/LK/ZBAbCj h5penIAtb5drk/hfsBib26fI04XKVOKh/557EpOiZ8+K2+PuEZafBTzDZa6Nd03D/A5NFR nBLp9He0Cm8x5Ff7NG7IA2T8F6O2nKTkQy5G3a4TVe7b4kQ2O89MKKV1cn2jqQ6z2IIV/+ 1sQYKYmtj6U9Naj+DeyOSWIsBSVOIH2CdcA72Hrp5x+sSXI1n5nzHdvy0Gppaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1677015505; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=GFy/2tDcA0MJ8/vGFA2jjB21yifMvfj57bpGMYoKf8I=; b=122IqagXl8y/TD6vlREmJFn2U0rYgW6nijOogwj0vXz1v0ixkbasv7YPp4deLljP2VP0q5 TrQJ9G2447AIguqOe4oeDGvbwFeFzjXM9lq6vi+fn3mUwC2uLY5VDbeFTwYIWci1r1iB8f 1YNFy5O0TgP1VEvNQFg785iT/Jf17qXTLirHQ72m9W4fwE9Xn6dW28dm8hWXiZZi9/u8is 9ksns3dg5yu9FmQ8ai0UVv9f5Lk0KQnfjW504bib3gAjeHdfk4nk22IrQEGqNQkkVEqKav SGg1H6OkmBVGNVYdLv74e8abNFnC4IVyYGa/9qAUWKcFVayysM62y1XeGUEZvA==
ARC-Authentication-Results: i=1; rspamd-9788b98bc-lfxt2; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Well-Made-Attack: 38b3b26e65e8041f_1677015505656_1243720310
X-MC-Loop-Signature: 1677015505656:2968142844
X-MC-Ingress-Time: 1677015505655
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.116.179.67 (trex/6.7.1); Tue, 21 Feb 2023 21:38:25 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PLt276X2Pz1W; Tue, 21 Feb 2023 13:38:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1677015504; bh=GFy/2tDcA0MJ8/vGFA2jjB21yifMvfj57bpGMYoKf8I=; h=Date:From:To:Cc:Subject:Content-Type; b=k7ZUs/ByT7u5Q5h1cF3UYSjy5umhE26EBdkl+aBZy3rjGHwJrpaXYZqSHbQuTT3V/ rcOgNR6H006gNc/MMk43O4HMLRuyK90osRp19QVemXrHetDNIseLD+eSdjTk9MwmX/ WfGlQwWUt8iJ0CM63qpBbPNo1+Jysy8j7zCnfAJdPKZr9+UfSBlEzmSYMVteuXMBbe 4O6+XFFkipEjOOoiUf64bjmO6C1oi22osN56U9CG5vmZmeg6mBUNJpqQYZot3Cq5a4 fkY8BkM1nYWYNRidqjwHvVmqjM1Bun5lpJGlimzCz7EsqVCPPMX6ZE0R+DtJSHCfIQ YG3Mpydzpk66w==
Date: Tue, 21 Feb 2023 15:38:21 -0600
From: Nico Williams <nico@cryptonector.com>
To: Simo Sorce <simo@redhat.com>
Cc: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/U5zbEFm6pGHIS1@gmail.com>
References: <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com> <20230219194355.36139173DDE@pb-smtp2.pobox.com> <Y/K2IEhX6c+b05Ye@gmail.com> <Y/QT7BxdTHq0RYTz@gmail.com> <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com> <Y/Q7hdTOF1HaxQKM@gmail.com> <Y/RFX4XywCAlhCeB@gmail.com> <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com> <79d730c13949d649783a0e565a8c108abad944a1.camel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <79d730c13949d649783a0e565a8c108abad944a1.camel@redhat.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/PiUEtUbm_m8KtKna3Pp10AOlPb4>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2023 21:38:31 -0000

On Tue, Feb 21, 2023 at 03:29:45PM -0500, Simo Sorce wrote:
> On Tue, 2023-02-21 at 11:31 -0600, Nico Williams wrote:
> > On Tue, Feb 21, 2023 at 04:44:15PM +0000, Steve Syfuhs (AP) wrote:
> > > You might also consider Active Directory's (group) managed service
> > > accounts. At least the group keying mechanism.
> > 
> > Where would I learn more about that?
> 
> FreeIPA has a similar feature geared towards unix systems where
> traditionally different services use different keytabs.
> It allows to delegate a specific service (say the host principal) the
> ability to fetch keytabs for other services (not necessarily in the
> same name either).
> 
> Old design page here, may look somewhat different these days:
> https://www.freeipa.org/page/V4/Keytab_Retrieval_Management

Right, this is the sort of thing we need.

I'll note that with the HTTP approach we took in Heimdal the client can
be curl(1) or any Python requests or .. any HTTP client you like that
can do Negotiate or JWT.

It doesn't get easier for interoperability than that.  We even get to
negotiate Content-Type if need be (so we could return passwords a la AD
if that were necessary, or keytabs, or whatever format is needed for
whatever software stacks people have).

Nico
--

v2.23.0 | Report a Bug | By Email