IETF Logo Mail Archive

Re: [kitten] WGLC on draft-ietf-kitten-pkinit-freshness-01

Michiko Short <michikos@microsoft.com> Fri, 16 October 2015 18:04 UTC

Return-Path: <michikos@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF4181B32D3 for <kitten@ietfa.amsl.com>; Fri, 16 Oct 2015 11:04:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xzuF0Gabrya0 for <kitten@ietfa.amsl.com>; Fri, 16 Oct 2015 11:04:25 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0110.outbound.protection.outlook.com [65.55.169.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92B7E1B32C8 for <kitten@ietf.org>; Fri, 16 Oct 2015 11:04:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=2FAW2ShPzkwAwia+dVvHuF6B2Q+u7D15rud9VN3AG30=; b=Ogfa0Su0SoEp4+i/dzvcCoLcGyGqFd+mv5GgRtm7/AU4qxJ2QIfhQwP1MCZP1eNfe19idHJDTK7jc8f3NybGyZLz7aRFZrUP9vWUMXoHoeF1PWFHB4sIn1LItgMa46Ae/x16esG3QECvhfkxfiBO6eP+j70eK0R6qvDRj2ucEsE=
Received: from BY1PR03MB1417.namprd03.prod.outlook.com (10.162.127.147) by BY1PR03MB1420.namprd03.prod.outlook.com (10.162.127.150) with Microsoft SMTP Server (TLS) id 15.1.300.14; Fri, 16 Oct 2015 18:04:19 +0000
Received: from BY1PR03MB1417.namprd03.prod.outlook.com ([10.162.127.147]) by BY1PR03MB1417.namprd03.prod.outlook.com ([10.162.127.147]) with mapi id 15.01.0300.010; Fri, 16 Oct 2015 18:04:19 +0000
From: Michiko Short <michikos@microsoft.com>
To: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: Re: WGLC on draft-ietf-kitten-pkinit-freshness-01
Thread-Index: AdEHbQ4IHm1emDE7QC2p75sYpFU2AQ==
Date: Fri, 16 Oct 2015 18:04:18 +0000
Message-ID: <BY1PR03MB14177E50FC4283137136D705D03D0@BY1PR03MB1417.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=michikos@microsoft.com;
x-originating-ip: [2001:4898:80e8:7::372]
x-microsoft-exchange-diagnostics: 1; BY1PR03MB1420; 5:ErGfTlBK7DAwqYZevMnuktoWXPYAbG2wqogVlhSNqymkvqGHe8SRozJHJPq0a4wYKBPxK7akTaHta+xe4hAxr78QaCDK19NFEk7IJ7lWtJRU1JX0Dp1XV0/5q7wYtRaowESOMNTCkShbfwfTVUPmsQ==; 24:2HOjc2oZwBVI6bmC8/Al9U7HbbDmpfn3dHfYtv8BDS87x29PFvl903cUtMlHAe1VcAlJ0EFVoj0jvI6fLcV4azTMsvXyunoWHtCSBVDJpJM=; 20:6npVoC9TAD6Ep70p/cIEVUmZ5E7kA4rxnvmaJn9McOs6QYhvTBNJdvNfIiQSf0OaX506fEVUuKwqxRjJr8AejA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR03MB1420;
x-microsoft-antispam-prvs: <BY1PR03MB142000A45EC461D364BDC764D03D0@BY1PR03MB1420.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(42673675456677)(108003899814671)(83020558694031);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(520078)(5005006)(8121501046)(3002001)(61426024)(61427024); SRVR:BY1PR03MB1420; BCL:0; PCL:0; RULEID:; SRVR:BY1PR03MB1420;
x-forefront-prvs: 0731AA2DE6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(164054003)(189002)(51914003)(64706001)(230783001)(5002640100001)(10090500001)(110136002)(81156007)(2501003)(5004730100002)(87936001)(76576001)(10290500002)(40100003)(10400500002)(5003600100002)(74316001)(122556002)(5007970100001)(92566002)(5005710100001)(11100500001)(86612001)(107886002)(8990500004)(450100001)(189998001)(97736004)(5001960100002)(99286002)(5008740100001)(86362001)(46102003)(106356001)(19300405004)(2351001)(105586002)(5001920100001)(33656002)(77096005)(2900100001)(102836002)(551544002)(15975445007)(16236675004)(19625215002)(19580395003)(50986999)(54356999)(101416001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR03MB1420; H:BY1PR03MB1417.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY1PR03MB14177E50FC4283137136D705D03D0BY1PR03MB1417namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Oct 2015 18:04:18.9327 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR03MB1420
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/U5bZdDscdTpWutKul8O5iXfZCJY>
Subject: Re: [kitten] WGLC on draft-ietf-kitten-pkinit-freshness-01
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 18:04:28 -0000

Greg, as always, thanks for the fast response.

In regards to the client request behavior, the bottom line is that I would prefer not to remove it from the RFC. We can make is optional, but it would need to be required to interoperate with some Microsoft Active Directory domains. We may be the only PKINIT implementation impacted. I don't know.


>>           3. In Windows Active Directory, accounts configured with AltSecID can receive a principal not found error and fail logon when the normal password AS ping is sent since the cname is not in the global catalog. By requesting the freshness token, the KDC can choose to return the preauth failure with the token when the account cannot be found.



> I don't understand this.  What is the message sequence?  Do you want to return a freshness token in a KDC_ERR_C_PRINCIPAL_UNKNOWN error?



No, the message sequence is that the client requests freshness, so the KDC can ignore the principal not found issue and return the freshness token with preauthn required. Then when they have preauth, the KDC can find the account and proceed as normal.





In regards to the error, I'll update the draft to use KDC_ERR_PREAUTH_EXPIRED and make FAST a normative reference. If anyone disagrees, then speak up.



>> 7.  Security Considerations



>> 2.  The KDC can determine authenticity and prevent tampering.



> Discussing FAST here seems confusing than helpful.  FAST protects against some kinds of tampering by a network attacker, but wouldn't even begin to protect against a rogue client tampering with the contents of the freshness token (e.g. changing a timestamp to make an old token look new).

I have removed the FAST statement and gotten bit of feedback on our side so I'll shoot another proposed draft later today.


Thanks,
Michiko Short
Program Manager | Authentication Protocols
Windows & Devices Group: OS Security

v2.23.0 | Report a Bug | By Email