IETF Logo Mail Archive

Re: [kitten] Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Jeffrey Altman <jaltman@secure-endpoints.com> Fri, 17 February 2023 13:31 UTC

Return-Path: <prvs=1412aa3132=jaltman@secure-endpoints.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D9D7C14CE33 for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 05:31:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=secure-endpoints.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9WVyM7twnVm for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 05:31:24 -0800 (PST)
Received: from sequoia-grove.ad.secure-endpoints.com (sequoia-grove.secure-endpoints.com [IPv6:2001:470:1f07:f77:70f5:c082:a96a:5685]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC3DBC14CF1F for <kitten@ietf.org>; Fri, 17 Feb 2023 05:31:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=secure-endpoints.com; s=MDaemon; r=y; t=1676640682; x=1677245482; i=jaltman@secure-endpoints.com; q=dns/txt; h=Message-ID: Date:MIME-Version:User-Agent:Subject:Content-Language:To: References:From:Organization:In-Reply-To:Content-Type; bh=cD6HJZ 3OCnkkU++h0gSwPcRYM9Izxsd1lONOcqKPcU4=; b=g1FJBcQLxBS1JyOWQzkQfr vflUO7FOycIqe2VSvBLwG03gJUOewzNpJAVFMYGfZo5PnAKrM9KutTDxXXjy9kOH LpgDH635HxoG5x9hdjRm/cvNEdzN2aYt2SGoGdQk/nhywgVUXWrp67BwGtqZRKdq XHjhuXl1fx2rivQM776nI=
X-MDAV-Result: clean
X-MDAV-Processed: sequoia-grove.ad.secure-endpoints.com, Fri, 17 Feb 2023 08:31:22 -0500
Received: from [IPV6:2603:7000:73c:9c99:6431:f50a:8e36:de40] by secure-endpoints.com (IPv6:2001:470:1f07:f77:28d9:68fb:855d:c2a5) (MDaemon PRO v23.0.0) with ESMTPSA id md50003272416.msg; Fri, 17 Feb 2023 08:31:21 -0500
X-Spam-Processed: sequoia-grove.ad.secure-endpoints.com, Fri, 17 Feb 2023 08:31:21 -0500 (not processed: message from trusted or authenticated source)
X-MDRemoteIP: 2603:7000:73c:9c99:6431:f50a:8e36:de40
X-MDHelo: [IPV6:2603:7000:73c:9c99:6431:f50a:8e36:de40]
X-MDArrival-Date: Fri, 17 Feb 2023 08:31:21 -0500
X-MDOrigin-Country: US, NA
X-Authenticated-Sender: acct-jaltman@secure-endpoints.com
X-Return-Path: prvs=1412aa3132=jaltman@secure-endpoints.com
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kitten@ietf.org
Message-ID: <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com>
Date: Fri, 17 Feb 2023 08:31:18 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: kitten@ietf.org
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com>
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Organization: Secure Endpoints, Inc.
In-Reply-To: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms030603000303050804030305"
X-MDCFSigsAdded: secure-endpoints.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/StaU2gKewX6btIC6LB5naIraJng>
Subject: Re: [kitten] Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2023 13:31:29 -0000

Please note that draft 3 does not include all of the feedback provided 
on draft 2.

The draft 2 feedback starts with this archived message

https://mailarchive.ietf.org/arch/msg/kitten/5l6CknOZBF39aZps7wQIsl_L-6o/

and the diff between drafts 2 and 3 can be found here

https://www.ietf.org/rfcdiff?url2=draft-ietf-kitten-iakerb-03

The discussion around error handling and default realm determination is 
particularly important in my opinion.

I do not believe there are any implementations of draft 3.

Jeffrey Altman

On 2/16/2023 6:57 PM, Steve Syfuhs (AP) 
(Steve.Syfuhs=40microsoft.com@dmarc.ietf.org) wrote:
>
> Howdy folks,
>
> I’m a developer on the Windows auth team that oversees Kerberos 
> development. We were handed the torch from Larry, Michiko, and crew 
> when they went off to do other exciting things.
>
> We’re currently in the process of implementing IAKerb as per the 
> latest expired draft and want to revive it and see it through to full 
> RFC. Happy to go into detail about why, but the benefits are I think 
> fairly self explanatory.
>
> Unfortunately there’s a fair amount of institutional knowledge around 
> this protocol that’s been lost to time and I was wondering if someone 
> could provide background on where things were last? What is required 
> in order to see it through?
>
> We have a few open questions, specifically around interop.
>
> What is the state of the MIT implementation? The draft refers to 
> interop with earlier versions. Is this something we need to reasonably 
> care about? The draft says the Finished checksum key usage is 
> implemented as int 42, but specced as 41. Why wasn’t 42 used in the 
> spec (that’s otherwise a rather obnoxious interop hack)?
>
> As mentioned, happy to go into more detail about our plans.
>
> Cheers
>
> Steve
>
>
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email