IETF Logo Mail Archive

Re: [kitten] [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04

Greg Hudson <ghudson@mit.edu> Thu, 05 January 2017 19:57 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC13E129601; Thu, 5 Jan 2017 11:57:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.3
X-Spam-Level:
X-Spam-Status: No, score=-7.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id czbU5Ybi5S5f; Thu, 5 Jan 2017 11:57:53 -0800 (PST)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33C13129654; Thu, 5 Jan 2017 11:57:53 -0800 (PST)
X-AuditID: 12074423-4c3ff70000003dbe-4b-586ea53f0feb
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 13.8D.15806.F35AE685; Thu, 5 Jan 2017 14:57:52 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v05JvoD3028325; Thu, 5 Jan 2017 14:57:51 -0500
Received: from [18.101.8.126] (vpn-18-101-8-126.mit.edu [18.101.8.126]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v05Jvmw0030807 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 5 Jan 2017 14:57:49 -0500
To: Benjamin Kaduk <kaduk@mit.edu>, Christian Huitema <huitema@huitema.net>
References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net> <20170103062001.GN8460@kduck.kaduk.org> <00c901d26766$566e9ae0$034bd0a0$@huitema.net> <20170105194728.GU8460@kduck.kaduk.org>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <e65843f9-c8e9-7b2d-0f22-27be8b5e95ca@mit.edu>
Date: Thu, 05 Jan 2017 14:57:48 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <20170105194728.GU8460@kduck.kaduk.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupgleLIzCtJLcpLzFFi42IR4hRV1nVYmhdhMH2bkMXclt8sFpMbZ7Nb zPgzkdni6OZVLBYfFj5kcWD1uDXjFIvHkiU/mQKYorhsUlJzMstSi/TtErgyXu55y1LwlKVi Yv9PpgbGb8xdjJwcEgImEq/b7jB1MXJxCAm0MUkc7t0AlhAS2MAo8elUNkTiCJPE/V37wBLC ApESW2/PZwKxRQS8JT42zWKBKHrLKHHywxdmEIdZYAKjxIzPJ9hBqtgElCXW79/KAmLzClhJ tBzqZQSxWQRUJKa3/gSq4eAQFYiQaDicDlEiKHFy5hOwck6g854eWAq2mFlAT2LH9V+sELa8 xPa3c5gnMArMQtIyC0nZLCRlCxiZVzHKpuRW6eYmZuYUpybrFicn5uWlFuma6eVmluilppRu YgQFMruL8g7Gl33ehxgFOBiVeHgjvPIihFgTy4orcw8xSnIwKYnyps4ACvEl5adUZiQWZ8QX leakFh9ilOBgVhLhXTcPKMebklhZlVqUD5OS5mBREue9lOkeISSQnliSmp2aWpBaBJOV4eBQ kuCVWwLUKFiUmp5akZaZU4KQZuLgBBnOAzRcejHI8OKCxNzizHSI/ClGXY4D71c8ZRJiycvP S5US560DKRIAKcoozYObA05AqRx1rxjFgd4S5p0Iso4HmLzgJr0CWsIEtGR7QDbIkpJEhJRU A6O4j89kkftXVtqXtB5U7vBf17smtKNRYYNOMUPLL5l/5RyZBSIqE1m6J8p1l3wr8CnOesqg 9OfLXuHN5+xnn1tX89Io1fK1YX/W++rL9+wOnf5nv/vUUoHDRWknzz2qrWLef/vaV62tld7f Waewm+aHqV/6J86mriTJKxl9qXFZ+uu1dkkL7JRYijMSDbWYi4oTAc4q4jEbAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/RNAxALi00mjf1E7uTnPQ7MTJieE>
Cc: kitten@ietf.org, draft-ietf-kitten-krb-auth-indicator.all@ietf.org, 'IESG' <iesg@ietf.org>, 'secdir' <secdir@ietf.org>
Subject: Re: [kitten] [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 19:57:56 -0000

On 01/05/2017 02:47 PM, Benjamin Kaduk wrote:
> I don't think so, but will loop in the WG to confirm.
> The ad-type should indicate what is immediately inside the next encoding
> layer of the ad-data.  So a Ticket might have an AuthorizationData that
> contains ad-type 1 (AD-IF-RELEVANT), that itself contains AuthorizationData
> with ad-type 96 (AD-CAMMAC), that in turn contains AuthorizationData with
> ad-type 97 (AD-AUTHENTICATION-INDICATOR).  So, 97 should appear only at
> the lowest level, and correspond to ad-data that's just the
> AD-AUTHENTICATION-INDICATOR itself.

I agree with Ben.

v2.23.0 | Report a Bug | By Email