IETF Logo Mail Archive

Re: [kitten] Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Jeffrey Altman <jaltman@secure-endpoints.com> Fri, 17 February 2023 14:37 UTC

Return-Path: <prvs=1412aa3132=jaltman@secure-endpoints.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CFE3C14F74B for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 06:37:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.997
X-Spam-Level:
X-Spam-Status: No, score=-6.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=secure-endpoints.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7pkzIesAXIPa for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 06:37:04 -0800 (PST)
Received: from sequoia-grove.ad.secure-endpoints.com (sequoia-grove.secure-endpoints.com [IPv6:2001:470:1f07:f77:70f5:c082:a96a:5685]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC0C1C14F6EC for <kitten@ietf.org>; Fri, 17 Feb 2023 06:37:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=secure-endpoints.com; s=MDaemon; r=y; t=1676644622; x=1677249422; i=jaltman@secure-endpoints.com; q=dns/txt; h=Message-ID: Date:MIME-Version:User-Agent:Subject:Content-Language:To: References:From:Organization:In-Reply-To:Content-Type; bh=kGz4Pw fpIHc/vI5j4AUcWRbvoa1kU+vxk/uHQjTBk4Y=; b=wefbYTtgYy15bK/B62Pryg nMmCm6KRyOFsqqjTR0/365SbLeTCcrxioZ6WWvKMrPoAwGY+lRDxKBL9vmyg1DZf jV/zCHTZgDdvccKx6jAYFFbphYmydZYSrbHlJyEFEJcO1T09w3+mGHGKWyGxrA0K z/PL/IBGhtiwyVhYhkj9M=
X-MDAV-Result: clean
X-MDAV-Processed: sequoia-grove.ad.secure-endpoints.com, Fri, 17 Feb 2023 09:37:02 -0500
Received: from [IPV6:2603:7000:73c:9c99:6431:f50a:8e36:de40] by secure-endpoints.com (IPv6:2001:470:1f07:f77:28d9:68fb:855d:c2a5) (MDaemon PRO v23.0.0) with ESMTPSA id md50003272560.msg; Fri, 17 Feb 2023 09:37:00 -0500
X-Spam-Processed: sequoia-grove.ad.secure-endpoints.com, Fri, 17 Feb 2023 09:37:00 -0500 (not processed: message from trusted or authenticated source)
X-MDRemoteIP: 2603:7000:73c:9c99:6431:f50a:8e36:de40
X-MDHelo: [IPV6:2603:7000:73c:9c99:6431:f50a:8e36:de40]
X-MDArrival-Date: Fri, 17 Feb 2023 09:37:00 -0500
X-MDOrigin-Country: US, NA
X-Authenticated-Sender: acct-jaltman@secure-endpoints.com
X-Return-Path: prvs=1412aa3132=jaltman@secure-endpoints.com
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kitten@ietf.org
Message-ID: <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com>
Date: Fri, 17 Feb 2023 09:36:53 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: kitten@ietf.org
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com>
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Organization: Secure Endpoints, Inc.
In-Reply-To: <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040405030000040002060906"
X-MDCFSigsAdded: secure-endpoints.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/UZbi1aUZXU-EMkgL0TC-_CYMRiQ>
Subject: Re: [kitten] Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2023 14:37:08 -0000

It should also be noted that in 2019 it was determined that there was no 
longer any interest in further development of IAKerb and the Working 
Group State for the document was set to "Dead WG Document".   Although 
IAKerb was never removed from the Kitten Charter.

https://datatracker.ietf.org/wg/kitten/about/

Its unclear to me from a process perspective whether the charter 
document is simply out of date and IAKerb needs to be once again added 
as a working group work item OR whether the Dead WG Document state can 
be removed by publishing an update.

The initial individual draft was published in 2006.  At that time there 
was a very narrow use case which drove the effort.   Over time the range 
of use cases grew broader without being reflected in the text of the 
draft. Re-reading the draft today for first time in years I believe the 
draft fails to sufficiently describe the use cases for which it is 
intended and those which should be considered out of scope.

I am in favor of IAKerb or something like it being adopted and 
implemented.   I would appreciate it if Steve could describe the 2023 
use cases for which Microsoft intends to use it in case they have 
significantly diverged from those considered in 2006.

Jeffrey Altman

On 2/17/2023 8:31 AM, Jeffrey Altman (jaltman@secure-endpoints.com) wrote:
>
> Please note that draft 3 does not include all of the feedback provided 
> on draft 2.
>
> The draft 2 feedback starts with this archived message
>
> https://mailarchive.ietf.org/arch/msg/kitten/5l6CknOZBF39aZps7wQIsl_L-6o/
>
> and the diff between drafts 2 and 3 can be found here
>
> https://www.ietf.org/rfcdiff?url2=draft-ietf-kitten-iakerb-03
>
> The discussion around error handling and default realm determination 
> is particularly important in my opinion.
>
> I do not believe there are any implementations of draft 3.
>
> Jeffrey Altman
>
> On 2/16/2023 6:57 PM, Steve Syfuhs (AP) 
> (Steve.Syfuhs=40microsoft.com@dmarc.ietf.org) wrote:
>>
>> Howdy folks,
>>
>> I’m a developer on the Windows auth team that oversees Kerberos 
>> development. We were handed the torch from Larry, Michiko, and crew 
>> when they went off to do other exciting things.
>>
>> We’re currently in the process of implementing IAKerb as per the 
>> latest expired draft and want to revive it and see it through to full 
>> RFC. Happy to go into detail about why, but the benefits are I think 
>> fairly self explanatory.
>>
>> Unfortunately there’s a fair amount of institutional knowledge around 
>> this protocol that’s been lost to time and I was wondering if someone 
>> could provide background on where things were last? What is required 
>> in order to see it through?
>>
>> We have a few open questions, specifically around interop.
>>
>> What is the state of the MIT implementation? The draft refers to 
>> interop with earlier versions. Is this something we need to 
>> reasonably care about? The draft says the Finished checksum key usage 
>> is implemented as int 42, but specced as 41. Why wasn’t 42 used in 
>> the spec (that’s otherwise a rather obnoxious interop hack)?
>>
>> As mentioned, happy to go into more detail about our plans.
>>
>> Cheers
>>
>> Steve
>>
>>
>> _______________________________________________
>> Kitten mailing list
>> Kitten@ietf.org
>> https://www.ietf.org/mailman/listinfo/kitten
>
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email