Re: [kitten] I-D Action: draft-ietf-kitten-iakerb-00.txt
Benjamin Kaduk <kaduk@MIT.EDU> Sun, 05 May 2013 21:53 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6692A21F977B for <kitten@ietfa.amsl.com>; Sun, 5 May 2013 14:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.499
X-Spam-Level:
X-Spam-Status: No, score=-3.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E0y04pCg3Brh for <kitten@ietfa.amsl.com>; Sun, 5 May 2013 14:53:32 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (DMZ-MAILSEC-SCANNER-2.MIT.EDU [18.9.25.13]) by ietfa.amsl.com (Postfix) with ESMTP id 4FEA621F972F for <kitten@ietf.org>; Sun, 5 May 2013 14:53:31 -0700 (PDT)
X-AuditID: 1209190d-b7f716d000005557-87-5186d4dae1c9
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 84.B6.21847.AD4D6815; Sun, 5 May 2013 17:53:30 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id r45LrU4w009740 for <kitten@ietf.org>; Sun, 5 May 2013 17:53:30 -0400
Received: from multics.mit.edu (SYSTEM-LOW-SIPB.MIT.EDU [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id r45LrScO004459 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <kitten@ietf.org>; Sun, 5 May 2013 17:53:29 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id r45LrSdn025490; Sun, 5 May 2013 17:53:28 -0400 (EDT)
Date: Sun, 05 May 2013 17:53:28 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: kitten@ietf.org
In-Reply-To: <20130411064110.29519.86993.idtracker@ietfa.amsl.com>
Message-ID: <alpine.GSO.1.10.1305051638540.9389@multics.mit.edu>
References: <20130411064110.29519.86993.idtracker@ietfa.amsl.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGIsWRmVeSWpSXmKPExsUixG6nrnvrSlugwb8NuhZHN69icWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxuyr09kLXgpWPDx/n72B8RxvFyMHh4SAicTJiZJdjJxAppjE hXvr2boYuTiEBPYxSlzd85oFwjnGKPGz+wwrhHOdSWJy4yQ2kBYhgXqJE5PvM4LYLAJaEu9/ 7GcGsdkEVCRmvtkIViMiICyxe+s7sLiwgKPEuwcf2UFsTgEniekP9zGB2LwCDhKTf81jhpjp KHHryXuwXlEBHYnV+6ewQNQISpyc+QTMZhawlPi39hfrBEaBWUhSs5CkFjAyrWKUTcmt0s1N zMwpTk3WLU5OzMtLLdI10svNLNFLTSndxAgKPk5J3h2M7w4qHWIU4GBU4uG9UdsaKMSaWFZc mXuIUZKDSUmU1/pEW6AQX1J+SmVGYnFGfFFpTmrxIUYJDmYlEV6fvUA53pTEyqrUonyYlDQH i5I475WUm/5CAumJJanZqakFqUUwWRkODiUJ3pDLQI2CRanpqRVpmTklCGkmDk6Q4TxAwx1A aniLCxJzizPTIfKnGBWlxHl/XAJKCIAkMkrz4HphyeEVozjQK8K8ziDtPMDEAtf9CmgwE9Dg pVnNIINLEhFSUg2MrdIL//gVvvg8MU/wvfpzrWcTt3EmiWldsptV/s1n3vNQMZ9luX9ly72N PwV4dHu7fVbQmsc9t954mVPD2sU7Ln74sfleCH9/9sE6iZ6gGWe5vt16tzxqhm0hS739DW8z pY/vQ//8mfNlEn9N3qQHYvJtt9eq3nsy9RrXdLPpioG1beK2amdYlFiKMxINtZiLihMBBcHb KukCAAA=
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-iakerb-00.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 May 2013 21:53:39 -0000
On Wed, 10 Apr 2013, internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Common Authentication Technology Next Generation Working Group of the IETF. > > Title : Initial and Pass Through Authentication Using Kerberos V5 and the GSS- API (IAKERB) > Author(s) : Jim Schaad > Larry Zhu > Jeffery Altman > Filename : draft-ietf-kitten-iakerb-00.txt > Pages : 9 > Date : 2013-04-10 > > Abstract: > This document defines extensions to the Kerberos protocol and the > GSS-API Kerberos mechanism that enable a GSS-API Kerberos client to > exchange messages with the KDC using the GSS-API acceptor as the I think the last "the" on this line should be "a". Likewise for where "the proxy" appears in the introduction's last paragraph. > proxy, by encapsulating the Kerberos messages inside GSS-API tokens. > With these extensions a client can obtain Kerberos tickets for > services where the KDC is not accessible to the client, but is > accessible to the application server. Other comments: Also in the introduction, no expansion or motivation for the name/term "IAKERB" is given when it is first introduced. (None is given elsewhere in the document that I can see, either.) The top of page 4 seems to have some editing errors, referring to a "GSS-API server" (not acceptor), and then in the following paragraph does not specify that the KRB_ERROR message should be used in the IAKERB_PROXY message in place of an actual KDC reply. Hmm, "GSS-API server" appears in at least one other place as well. In the security considerations, the sentence "To reduce attack surface, firewall filters can be applied to allow from which hosts the client requests can be proxied and the proxy can further restrict the set of realms to which the requests can be proxied." has an unusual, perhaps even incorrect, sentence structure (in particular "allow from which hosts"). I think it would be feasible to extract the necessary bits from PKU2U and include them in this document, but defer to tomorrow's discussion. -Ben
- [kitten] I-D Action: draft-ietf-kitten-iakerb-00.… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-kitten-iakerb… Benjamin Kaduk
- [kitten] Updating IANA krb5 GSSAPI token type reg… Benjamin Kaduk
- Re: [kitten] I-D Action: draft-ietf-kitten-iakerb… Benjamin Kaduk
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Tom Yu
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Martin Rex
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Luke Howard
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Benjamin Kaduk
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Martin Rex
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Luke Howard
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Benjamin Kaduk
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Benjamin Kaduk
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Simo Sorce
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Jeffrey Hutzelman
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Benjamin Kaduk
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Martin Rex
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Simo Sorce
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Sam Hartman
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Jeffrey Hutzelman
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Shawn M Emery
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Benjamin Kaduk
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Sam Hartman
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Benjamin Kaduk
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Jeffrey Hutzelman
- Re: [kitten] Updating IANA krb5 GSSAPI token type… Sam Hartman