Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt
Michiko Short <michikos@microsoft.com> Wed, 06 April 2016 18:17 UTC
Return-Path: <michikos@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C247012D74F; Wed, 6 Apr 2016 11:17:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wud-wfMTiedM; Wed, 6 Apr 2016 11:17:33 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0126.outbound.protection.outlook.com [65.55.169.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A223212D744; Wed, 6 Apr 2016 11:17:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=EPWKNhaNq3LQu75OG78Ag6Z6l6ekRx4L62KG42WeZ6w=; b=droSrae95qAVywjluJRVLsm6gdTL3Pf2IfHoJQrv9OWbkF8qQyTCaEUYoCYbqSALpLrfoBKOMAr8HUnUM+V/n2g45SNPUuUfSfWAPctKvEFX9esZ8svNi6DFqcBF83kxdeR1zZfUS3g+BYG5Ll13Eh0mZs3LgPRGIkX1iAdKg9k=
Received: from BY1PR03MB1417.namprd03.prod.outlook.com (10.162.127.147) by BY1PR03MB1418.namprd03.prod.outlook.com (10.162.127.148) with Microsoft SMTP Server (TLS) id 15.1.447.15; Wed, 6 Apr 2016 18:17:30 +0000
Received: from BY1PR03MB1417.namprd03.prod.outlook.com ([10.162.127.147]) by BY1PR03MB1417.namprd03.prod.outlook.com ([10.162.127.147]) with mapi id 15.01.0447.028; Wed, 6 Apr 2016 18:17:30 +0000
From: Michiko Short <michikos@microsoft.com>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Thread-Topic: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt
Thread-Index: AQHRg8GWvlYn3zxL8kKg64f1UsNf8J9knzUAgAAQtICAAFw4gIAAXmSAgABI8fCAF2SkAIAAQUow
Date: Wed, 06 Apr 2016 18:17:30 +0000
Message-ID: <BY1PR03MB1417507F49B24921745DD89BD09F0@BY1PR03MB1417.namprd03.prod.outlook.com>
References: <20160321223215.12211.35084.idtracker@ietfa.amsl.com> <56F0945E.5070804@openfortress.nl> <BLUPR0301MB1953F7DDC9FD35D3139F4F20CD800@BLUPR0301MB1953.namprd03.prod.outlook.com> <56F0EFBD.90800@openfortress.nl> <56F13EEB.70502@mit.edu> <BY1PR03MB1417EBB6878983B57073528CD0800@BY1PR03MB1417.namprd03.prod.outlook.com> <alpine.GSO.1.10.1604061016100.26829@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1604061016100.26829@multics.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: MIT.EDU; dkim=none (message not signed) header.d=none;MIT.EDU; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:d::518]
x-ms-office365-filtering-correlation-id: fe288c88-66e0-4ee8-7d25-08d35e47b7b0
x-microsoft-exchange-diagnostics: 1; BY1PR03MB1418; 5:c4+mrdf3+OEe92K5Z0juMReAIfZ00dvGUzE/hgedtKtoSRy/zHM0dSKvN3RKNA7wjm/56a8hc8vTLD3lNwLYOKWEfw0Nfacd5wTIWnlxcW2uYm9ghv3eIcWn8KK31MWhDhkCp7ZH9lehd4RG/Ps6SA==; 24:7AryzzniR/cQqbFenBwpuy9lhTEla4M8j+gGWkcWx1dDV4/ZeYfsRdbOYRD2aNUS5gNH9PhaIMrDVC18lWVPGb2pYViItqIWYa1DEbm8Xhs=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR03MB1418;
x-microsoft-antispam-prvs: <BY1PR03MB14181366C6804F90495F7989D09F0@BY1PR03MB1418.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:BY1PR03MB1418; BCL:0; PCL:0; RULEID:; SRVR:BY1PR03MB1418;
x-forefront-prvs: 0904004ECB
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(24454002)(52314003)(377454003)(13464003)(122556002)(586003)(86612001)(54356999)(76576001)(3660700001)(110136002)(1220700001)(76176999)(5008740100001)(102836003)(74316001)(575784001)(2950100001)(5002640100001)(2900100001)(77096005)(189998001)(93886004)(86362001)(50986999)(2171001)(164054004)(3280700002)(87936001)(10090500001)(15975445007)(6116002)(2906002)(19580405001)(33656002)(1096002)(5005710100001)(10290500002)(10400500002)(92566002)(81166005)(5004730100002)(106116001)(19580395003)(11100500001)(4326007)(230783001)(99286002)(5003600100002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR03MB1418; H:BY1PR03MB1417.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Apr 2016 18:17:30.5536 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR03MB1418
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/QpgQRa_grlZApx13_LcJ7rsqE3w>
Cc: "kitten@ietf.org" <kitten@ietf.org>, "draft-ietf-kitten-pkinit-freshness@ietf.org" <draft-ietf-kitten-pkinit-freshness@ietf.org>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2016 18:17:35 -0000
You got it. :) Can we get an IANA number as well? -----Original Message----- From: Benjamin Kaduk [mailto:kaduk@MIT.EDU] Sent: Wednesday, April 6, 2016 7:23 AM To: Michiko Short <michikos@microsoft.com> Cc: Greg Hudson <ghudson@MIT.EDU>; kitten@ietf.org; draft-ietf-kitten-pkinit-freshness@ietf.org Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt Hi Michiko, Can you please submit a new revision making the MUST --> SHOULD change? Also, I would like to get an explicit confirmation from Greg that this text is not problematic (in Section 2.4): [...] If the freshness token is not valid, the KDC MUST return a KRB_ERROR [RFC4120] message with the error-code KDC_ERR_PREAUTH_EXPIRED [RFC6113]. The e-data field of the error contains a METHOD-DATA object [RFC4120] which specifies a valid PA_AS_FRESHNESS padata-value. I see an old comment from Greg in the archives that RFC 6113 made no specification for including METHOD-DATA in a KDC_ERR_PREAUTH_EXPIRED error packet, but a more recent message indicated general acceptance of the whole document (with no specific mention of this text). My understanding is that the concern related to the need to unambiguously specify how to construct the error packet, since RFC 6113 did not give guideance on this scenario (whereas RFC 4120 did give guidance for constructing error packets for KDC_ERR_PREAUTH_FAILED), but the thread is old enough that I would like another confirmation. Thanks, Ben On Tue, 22 Mar 2016, Michiko Short wrote: > Since the infinite loop problem exists for Kerberos clients already, I would prefer to not specify something since this is an extension to an extension. > > However, the must is valid. Not sure how we all missed that. > "If a client receives a KDC_ERR_PREAUTH_EXPIRED KRB_ERROR message that includes a freshness token, it SHOULD retry using the new freshness token." > > I would really like to get this to last call and get the official IANA > number > > -----Original Message----- > From: Greg Hudson [mailto:ghudson@mit.edu] > Sent: Tuesday, March 22, 2016 5:48 AM > To: Rick van Rein <rick@openfortress.nl>; Paul Miller (NT) > <paumil@microsoft.com> > Cc: kitten@ietf.org; draft-ietf-kitten-pkinit-freshness@ietf.org > Subject: Re: [kitten] I-D Action: > draft-ietf-kitten-pkinit-freshness-05.txt > > On 03/22/2016 03:09 AM, Rick van Rein wrote: > >> It is the responsibility of the client not to retry indefinitely. > > > > May I suggest that you state that in the text? The current draft is a procedure, and could benefit from invariant statements to clarify the cases that fall outside of the intended procedure. > > If I understand correctly, we are worried about an infinite loop of AS-REQ -> KDC_ERR_PREAUTH_EXPIRED -> AS-REQ -> ... due to the section 2.5. > > If we need to alter this text anyway, I don't like the requirement that "If a client receives a KDC_ERR_PREAUTH_EXPIRED KRB_ERROR message that includes a freshness token, it MUST retry using the new freshness token." MUSTs are to be used when behavior "is actually required for interoperation or to limit behavior which has potential for causing harm" (RFC 2119 section 6). A client which implements RFC 6113 could respond to KDC_ERR_PREAUTH_EXPIRED the same way it already does, by retrying from the beginning, without affecting interoperability or causing harm. > > I suggest the following text: > > If a client receives a KDC_ERR_PREAUTH_EXPIRED KRB_ERROR message that > includes a freshness token, it SHOULD retry the PKINIT-authenticated > AS-REQ using the new freshness token. The client MAY restart the > conversation instead. The client MUST limit the number of retries to > avoid looping forever in case of a misbehaving KDC. > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.i > etf.org%2fmailman%2flistinfo%2fkitten&data=01%7c01%7cmichikos%40microsoft.com%7c141d07e5fb25470ba38508d35e26f59a%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=spLywtsgLuqPMT0lESglYZVAeOh7wbHYX%2fkQO9zcJm4%3d >
- [kitten] I-D Action: draft-ietf-kitten-pkinit-fre… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Rick van Rein
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Paul Miller (NT)
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Rick van Rein
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Greg Hudson
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Michiko Short
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Benjamin Kaduk
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Greg Hudson
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Michiko Short