IETF Logo Mail Archive

Re: [kitten] Kerberos preauth negotiation techniques

Benjamin Kaduk <kaduk@MIT.EDU> Wed, 18 February 2015 18:34 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A325C1A001B for <kitten@ietfa.amsl.com>; Wed, 18 Feb 2015 10:34:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1DHftby_ye0 for <kitten@ietfa.amsl.com>; Wed, 18 Feb 2015 10:34:22 -0800 (PST)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11E561A0007 for <kitten@ietf.org>; Wed, 18 Feb 2015 10:34:21 -0800 (PST)
X-AuditID: 1209190f-f79546d000007593-58-54e4db2cbca1
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 7B.46.30099.C2BD4E45; Wed, 18 Feb 2015 13:34:20 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t1IIYJl3010285; Wed, 18 Feb 2015 13:34:20 -0500
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t1IIYHdA023689 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 18 Feb 2015 13:34:18 -0500
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t1IIYH0Y007545; Wed, 18 Feb 2015 13:34:17 -0500 (EST)
Date: Wed, 18 Feb 2015 13:34:16 -0500
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Nathaniel McCallum <npmccallum@redhat.com>
In-Reply-To: <1424189675.2645.23.camel@redhat.com>
Message-ID: <alpine.GSO.1.10.1502181326460.3953@multics.mit.edu>
References: <x7da90k47ox.fsf@equal-rites.mit.edu> <1424189675.2645.23.camel@redhat.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFIsWRmVeSWpSXmKPExsUixCmqratz+0mIwb3dyhZHN69isZj7dRar A5PHkiU/mTze77vKFsAUxWWTkpqTWZZapG+XwJXxeMdftoI3nBUTb5c3MH5j72Lk5JAQMJE4 cng6G4QtJnHh3nogm4tDSGAxk0Trqo+MIAkhgY2MErcmJkLYh5gk9h9zgShqYJR4MXc12CQW AW2JJWf3M4PYbAIqEjPfbASbKiKgJ7Fs3wSgQRwczAJGEhd+ZYCEhQVsJSbf/g5WzgkUXnzs BFg5r4CDxMJDX1kgdoVLXHs0HaxGVEBHYvX+KSwQNYISJ2c+AbOZBbQklk/fxjKBUXAWktQs JKkFjEyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdE30cjNL9FJTSjcxgoNUkn8H47eDSocYBTgY lXh4O5iehAixJpYVV+YeYpTkYFIS5T1+EyjEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhHfHPqAc b0piZVVqUT5MSpqDRUmcd9MPvhAhgfTEktTs1NSC1CKYrAwHh5IEr8ctoEbBotT01Iq0zJwS hDQTByfIcB6g4akgNbzFBYm5xZnpEPlTjIpS4rwhIAkBkERGaR5cLyyJvGIUB3pFmLcNpIoH mIDgul8BDWYCGjz/zyOQwSWJCCmpBsYAj5mqwrOqq7XSP+ydLRiopL0n7lPj15QTGxevSLxu vcstT+loT/Xl3Ib+Nwf0+JWFp7arlugJ7XKX9E45eflj2Noi628J0/neC2Sy/qte4RSjZn1K NuTKlPSObn4Oy7BoBQmltkdb0p7KPdOdy+k2L+LFRrHtiv+9LhmZ2V+rzv3S4q5Yo8RSnJFo qMVcVJwIALXR82T9AgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/QNEV6zjC5vCWcEL8BankcWfuvoo>
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos preauth negotiation techniques
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 18:34:26 -0000

On Tue, 17 Feb 2015, Nathaniel McCallum wrote:

> So a KDC can actually implement both 1 and 3 simultaneously. If the
> KDC does not receive the padata in the first step (option 3), it
> generates the empty hint (option 1). Otherwise, 1 and 3 are identical.
> Only one thing differs: PREAUTH_REQUIRED or
> MORE_PREAUTH_DATA_REQUIRED. Can we just always use the latter error?

It is safe to use MORE_PREAUTH_DATA_REQUIRED since we can document that
support for that error is a requirement of the new preauth mechanism.

Determining whether it is acceptable to ask for MORE_PREAUTH in response
to the initial AS-REQ (including the hints which we are calling optimistic
preauth here), as opposed to just PREAUTH_REQUIRED, will probably require
a close reading of the relevant RFCs.

> After thinking about this (and implementing it), I think the best way
> forward is 1 with 3 as an optional optimization. The KDC should always
> support both 1 and 3; adding support for (optional) 3 should be
> trivial. Clients should choose whether or not to support 3 based on
> complexity of implementation; 3 can always be added later as an
> optimization.

That does seem like the best way forward, as the rest of the thread is
concluding.

-Ben

v2.23.0 | Report a Bug | By Email