IETF Logo Mail Archive

Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?

Nico Williams <nico@cryptonector.com> Thu, 19 May 2016 16:45 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D591E12D614 for <kitten@ietfa.amsl.com>; Thu, 19 May 2016 09:45:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bpwo5o-wadVC for <kitten@ietfa.amsl.com>; Thu, 19 May 2016 09:45:57 -0700 (PDT)
Received: from homiemail-a105.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96CBD12DA98 for <kitten@ietf.org>; Thu, 19 May 2016 09:45:44 -0700 (PDT)
Received: from homiemail-a105.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a105.g.dreamhost.com (Postfix) with ESMTP id 03FB82005E804; Thu, 19 May 2016 09:45:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=zJm2qODasuAg+f 0ScVT0QvkDmug=; b=bBsynTp9v/ZyXU0MSwviiLuPhCoqzdpZXAcqiXd3O+y3F7 ef6rC0JqmXOw5HUL/+xb5et8n/XnzelJsHdGj0qXPokTpAS5sDUvym9fCPT16X8r vrwxkbTSY65CGthhaWrDT8O6ryB97sCyWBu5LGdPdM+J/dOPY8qixXmlkyl/g=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a105.g.dreamhost.com (Postfix) with ESMTPSA id 4FE2B2005E808; Thu, 19 May 2016 09:45:43 -0700 (PDT)
Date: Thu, 19 May 2016 11:45:40 -0500
From: Nico Williams <nico@cryptonector.com>
To: Nathaniel McCallum <npmccallum@redhat.com>
Message-ID: <20160519164540.GC19530@localhost>
References: <1463500163.2432.9.camel@redhat.com> <54c900f2-399c-0ff0-c292-91baba495a21@secure-endpoints.com> <20160519161004.GA19530@localhost> <1463675293.31173.25.camel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1463675293.31173.25.camel@redhat.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/RcJp2qwCR6yySyZkBu8v6Ll961U>
Cc: kitten@ietf.org
Subject: Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2016 16:45:59 -0000

On Thu, May 19, 2016 at 12:28:13PM -0400, Nathaniel McCallum wrote:
> > (though it once aimed for Proposed Standard; we might want to find
> > out why it ended up being Informational).
> 
> I have already inquired. I was informed that the change was made simply
> for the reason that all DNS RR type definitions are informational. To
> avoid a downreference, I was advised to reference IANA instead of the
> RFC:
> http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml

Thanks.

> > And if we're going to use URI, then we'll need a 'krbtgt' URI scheme
> > by which to express the four protocols we have (raw over TCP, raw
> > over UDP, HTTP MSFT-style, and HTTP Heimdal-style:
> 
> One reason to avoid "krbtgt" is that we are actually defining transport
> mechanisms for multiple protocols: kerberos and kpasswd, at a minimum.
> I suspect implementors will extract this to additional protocols.

On the contrary, that's all the more reason to want URI schemes for
Kerberos: we can then add additional URI schemes for the related
protocols (kpasswd, kadmin Heimdal flavor, kadmin MIT flavor, kadmin
Solaris flavor, admin via LDAP, and whatever else comes up).

> But in general, I don't care what the actual URIs look like.

Me either, as long as they can express the options we have to be able to
express.

> As you may have hinted, it may be worth considering implementing a URI
> for Heimdal's proxy. I left it off the current draft since there is no
> protocol definition; just some code.

Sure, but we can document it if need be.  The point is that we have more
than just three options to express, and if you include kpasswd and such,
we have more than four.  It's critical to be able to get at least the
KDCs with one DNS question (perhaps using EDNS0 or falling back on DNS
over TCP if the answers don't fit in a DNS UDP response).

Nico
--

v2.23.0 | Report a Bug | By Email