Re: [kitten] Comments on draft-ietf-krb-wg-camac-08

Tom Yu <tlyu@MIT.EDU> Fri, 01 August 2014 16:54 UTC

Return-Path: <tlyu@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 530EC1B282A for <kitten@ietfa.amsl.com>; Fri, 1 Aug 2014 09:54:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iCEqf805XGqN for <kitten@ietfa.amsl.com>; Fri, 1 Aug 2014 09:54:43 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DF271B2839 for <kitten@ietf.org>; Fri, 1 Aug 2014 09:54:42 -0700 (PDT)
X-AuditID: 1209190c-f79ef6d000005dd6-bb-53dbc6512ff1
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id E9.A7.24022.156CBD35; Fri, 1 Aug 2014 12:54:41 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id s71Gseeb014575; Fri, 1 Aug 2014 12:54:41 -0400
Received: from localhost (sarnath.mit.edu [18.18.1.190]) (authenticated bits=0) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s71Gsdqr028258; Fri, 1 Aug 2014 12:54:40 -0400
From: Tom Yu <tlyu@MIT.EDU>
To: Greg Hudson <ghudson@mit.edu>
References: <tslwqax1mhm.fsf@mit.edu> <53D7DBE2.3010105@mit.edu>
Date: Fri, 01 Aug 2014 12:54:38 -0400
In-Reply-To: <53D7DBE2.3010105@mit.edu> (Greg Hudson's message of "Tue, 29 Jul 2014 13:37:38 -0400")
Message-ID: <ldvfvhgrvzl.fsf@sarnath.mit.edu>
Lines: 17
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixG6noht47HawQfdqZYuvbQ/YLI5uXsXi wOSxZMlPJo+VU0+zBzBFcdmkpOZklqUW6dslcGUsf/2PqeAkW8Wv50tZGhhXs3YxcnJICJhI 3H2+ixHCFpO4cG89WxcjF4eQwGwmicWrbrFAOBsYJRrnrYXKvGaUaJvRCdTCwcEmIC1xdHEZ SLeIgKLEs1VzWUBsZgEriV9dB8GmCgvYSLzZPZ8VpFxIwEGidbExSJhFQFXi3Y33zCA2p0Ca xPHudWAH8QroSnxtuMQOYvMIcEqcnLmVDSIuCGQ/gRqvJXHj30umCYwCs5CkZiFJLWBkWsUo m5JbpZubmJlTnJqsW5ycmJeXWqRrqJebWaKXmlK6iREUjpySPDsY3xxUOsQowMGoxMN7Y/ft YCHWxLLiytxDjJIcTEqivD1HgEJ8SfkplRmJxRnxRaU5qcWHGCU4mJVEeLdtA8rxpiRWVqUW 5cOkpDlYlMR531pbBQsJpCeWpGanphakFsFkZTg4lCR4VY8CNQoWpaanVqRl5pQgpJk4OEGG 8wAN1wep4S0uSMwtzkyHyJ9i1OVYtP9lN5MQS15+XqqUOG8ryHUCIEUZpXlwc2Bp5BWjONBb whDreIApCG7SK6AlTEBLagzBlpQkIqSkGhizr76YfmTZcd3lZzKXnFGLEIvt3PT5Z36o1Zk9 7gn8setW3H7/y+1g673/yYqLT+b1Zkjef/FF9fx231d9lyP3Ff3gim/QcPvbst6zVLea82Xa s/NuXYr5LhOetJeKfVcNy9fv4vwZ4b95D6f7qrN6X179zg5yDFnyZEuC98Ln6g1n+69YPnqp xFKckWioxVxUnAgAEQuXm/4CAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/TuqRJefzUM5j26x11sbAqzAcNJY
Cc: kitten@ietf.org, Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [kitten] Comments on draft-ietf-krb-wg-camac-08
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 16:54:49 -0000

Greg Hudson <ghudson@MIT.EDU> writes:

> My preference is to:
>
> * Advise that CAMMACs be put inside AD-IF-RELEVANT.
>
> * Specify that authdata contained within a CAMMAC should be considered
> non-critical.  (That is, you don't have to wrap everything inside a
> CAMMAC in AD-IF-RELEVANT.)  RFC 4120 already does this for AD-KDC-ISSUED
> (section 5.2.6.2, last paragraph), presumably under the assumption that
> it is used for positive rather than negative authdata.

I agree that AD-CAMMAC should have the same effect on the criticality of
its contents as AD-KDC-ISSUED.  We can recommend that a CAMMAC be put in
AD-IF-RELEVANT if it is likely that the consuming service won't
understand it.  The KDC might have enough knowledge of the capabilities
of the service that the extra layer of wrapping might not be necessary.