[kitten] Updates to IAKERB (Re: Windows Intent to revive and implement) IAKerb draft-ietf-kitten-iakerb-03
Nico Williams <nico@cryptonector.com> Wed, 22 February 2023 23:22 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F55DC15154C for <kitten@ietfa.amsl.com>; Wed, 22 Feb 2023 15:22:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65HkTEYNXU7p for <kitten@ietfa.amsl.com>; Wed, 22 Feb 2023 15:22:46 -0800 (PST)
Received: from caracal.birch.relay.mailchannels.net (caracal.birch.relay.mailchannels.net [23.83.209.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54F57C151544 for <kitten@ietf.org>; Wed, 22 Feb 2023 15:22:45 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 51EA2540DF0; Wed, 22 Feb 2023 23:22:45 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 7D4F4540B3A; Wed, 22 Feb 2023 23:22:44 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1677108164; a=rsa-sha256; cv=none; b=fr+yab5SxaO045qOT213ELZ/PQxhp+PJuu+rsgocDcxz1y+vmTxdWeDghjR9Kl1Gof/nXG L0KYkg649NYyQJF81dNJRWR7LJ1x+7pcxGWBvQV4WkEoehzCgm6wh7WHuqwxFx2IHySdgx mzn6V1x54IFwbkrHdpdcZBUgqaY5UlfD2qTE6UAD2Cyu3PwgQoSFifsMiB4LFvQI1cOLIz O2ulsRo0ArtrF51hXxf6dK2UwFPlhMZUgHU5RZ0BU4ZCLOOAqVB39grUaHTGnaAf087FI3 0x5saAv8JeuMTsBk6lZK9GUiRaLc/mNV0hWXWVGpDQRAon3IanPRGs4bL/e3NA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1677108164; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Cfj9QWfwmP1LrLir47Vnl0BtoOuwXHlWVz3AXK3/H1c=; b=z6B96B2SCydOeP4C/pSKOWqeRKnq7fXXN7iKGB+Bk6vc154FFByPHpV9TnzELtndLlky3G fHdr8l0y0UzCN2JQYDGl2hgG5bhfHCdhHgSWR4rEot3rwbsOAFNrpwgeZtf+5i/Kx7m7Gj xARFXBYt467uKWJGGWBjosfal7Ql/Ye2fe5SjgWoGrmuoSOcpUnAQIYNgm1V7FfPnXFv0W wGQLFPnGTITPiwKeNw3MpLtOnm8yEMGCnuIbUs+HwtoR6+a5/XuPRGVV6B0HlIxvGwNARl lvfdj97a79gW8H48jYYviGiobb05Ot2ULlbbfVKRA0PkRHoUx7UQ/ny07PZXVg==
ARC-Authentication-Results: i=1; rspamd-5db48964c-nmxx4; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Duck-Little: 1d2f37e8077b034a_1677108164832_623757003
X-MC-Loop-Signature: 1677108164832:3986654118
X-MC-Ingress-Time: 1677108164832
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.103.24.47 (trex/6.7.1); Wed, 22 Feb 2023 23:22:44 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PMXJ34G2wz3Q; Wed, 22 Feb 2023 15:22:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1677108164; bh=Cfj9QWfwmP1LrLir47Vnl0BtoOuwXHlWVz3AXK3/H1c=; h=Date:From:To:Cc:Subject:Content-Type; b=IOrvSH+Z7IRUsNqlCnUyS35Srzvvixlq85jszxCtgYFcL/uPipJ22IouskyFxng5N Ft2kOAPCGHrQHj3vizDZjuRxBuIvk+jLldS1rHmvixI3UbYCIJg8/GAOZiX2+yQ/Qh z8rBrbkqRl3ogTK8JeeY+kOwR+X3ErCsPHct4zitxdY18+02iqN6SVsiRpJr6DzgZC XHcAXRFqO0iUF3/HhL2hUx7KSBHw6j1YGGpmMkaw0kbicy7yEZju/eg6oaIyfqKXjK SI3L9YHIyZSHg2wX9xbDA+UHizzWJO4NgDi99JXtY52SssHJQckvf52TKV+9+j/+b1 eQHA0MsrsZCcw==
Date: Wed, 22 Feb 2023 17:22:40 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
Cc: Luke Howard Bentata <lukeh@padl.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/ajwC8ZqiI+pjuU@gmail.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/AYFbD6wCrszskG@gmail.com> <Y/AamL5pPJW1sYrv@gmail.com> <MW4PR21MB1970AEAB4ABD68C0059A2AB99CA69@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/A4eirujnDjO+46@gmail.com> <E1A16BAA-9B3D-4D63-96F5-6DD150DB0D6F@padl.com> <MW4PR21MB19709BF16824B097019F5EC19CA69@MW4PR21MB1970.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MW4PR21MB19709BF16824B097019F5EC19CA69@MW4PR21MB1970.namprd21.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/X5QpHbItgS9Chh_KQhi_Efx-g4k>
Subject: [kitten] Updates to IAKERB (Re: Windows Intent to revive and implement) IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2023 23:22:50 -0000
On Sat, Feb 18, 2023 at 04:56:24AM +0000, Steve Syfuhs (AP) wrote: > You have captured the exact problem with unknown names. We can extend > the protocol to solicit an SPN, and it turns out if you're willing to > look the other way on good protocol manners, this can work today > within spec. We just lose server auth. This *is* a net-win for > security still, just not much of one. OK, so what updates to IAKERB do you need? If you want to stay backwards-compatible then we can use the ASN.1 extensibility markers to add fields to IAKERB-HEADER: IAKERB-HEADER ::= SEQUENCE { -- Note that the tag numbers start at 1, not 0, which would -- be more conventional for Kerberos. target-realm [1] UTF8String, -- The name of the target realm. cookie [2] OCTET STRING OPTIONAL, -- Opaque data, if sent by the server, -- MUST be copied by the client verbatim into -- the next IAKRB_PROXY message. ..., target-name [3] KerberosPrincipal OPTIONAL, ... } Set `target-name` to the empty name to request the acceptor's name (I know, the empty name can be a legitimate name, but... it really shouldn't be), and the acceptor should fill it in. Or maybe: IAKERB-HEADER ::= SEQUENCE { -- Note that the tag numbers start at 1, not 0, which would -- be more conventional for Kerberos. target-realm [1] UTF8String, -- The name of the target realm. cookie [2] OCTET STRING OPTIONAL, -- Opaque data, if sent by the server, -- MUST be copied by the client verbatim into -- the next IAKRB_PROXY message. ..., target-name [3] CHOICE { request [0] NULL, -- or BOOLEAN DEFAULT (TRUE)? response [1] KerberosPrincipal, ... } ... } if we really want to allow empty names as names. While we're here we might as well also add a way for the acceptor to return a TGT for user-to-user auth, why not, where the PDU following the IAKERB-HEADER would be a Ticket: IAKERB-HEADER ::= SEQUENCE { -- Note that the tag numbers start at 1, not 0, which would -- be more conventional for Kerberos. target-realm [1] UTF8String, -- The name of the target realm. cookie [2] OCTET STRING OPTIONAL, -- Opaque data, if sent by the server, -- MUST be copied by the client verbatim into -- the next IAKRB_PROXY message. ..., target-name [3] CHOICE { request [0] NULL, user2user-ok [1] NULL, response [2] KerberosPrincipal, ... } OPTIONAL ... } A request with `user2user-ok` would elicit either a response with the name, or a response with a Ticket (which bears the name) for user2user. Nico --
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Greg Hudson
- [kitten] Windows Intent to revive and implement I… Steve Syfuhs (AP)
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Greg Hudson
- Re: [kitten] Windows Intent to revive and impleme… josh.howlett
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Replacing Kerberos (Re: Windows Intent t… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Ken Hornstein
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Paul Romero
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Luke Howard
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Andrew Bartlett
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Updates to IAKERB (Re: Windows Intent to… Nico Williams
- Re: [kitten] Updates to IAKERB (Re: Windows Inten… Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos D.Rogers
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Watson Ladd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Simo Sorce