Re: [kitten] draft-ietf-kitten-cammac kdc-verifier omission

[Greg Hudson <ghudson@mit.edu>]

On 02/12/2015 01:47 PM, Benjamin Kaduk wrote:
> Do you want to come up with a concrete proposal for new text?

Sure.  In section 8 (Security Considerations), replace "two exceptions"
with "three exceptions," and add a third item to the list:

---
3. If the ticket server principal is a cross-realm TGS from a different
realm, the CAMMAC's kdc-verifier cannot be validated because the
checksum was made using the other realm's local TGS key.  If the
CAMMAC's svc-verifier is valid, the CAMMAC contents can be safely
assumed to have originated from the other realm.  The KDC SHOULD NOT
blindly copy CAMMAC elements originating from another realm, but MAY
choose to filter, transform, and propagate elements according to policy
rules, and MAY place a kdc-verifier in the new CAMMAC containing the
resulting authorization data elements.
---

I use MUST NOT instead of SHOULD NOT because a KDC might be in a
subsidiary relationship to a higher-security realm.  By "cross-realm TGS
from a different realm," I mean an incoming cross-realm krbtgt principal
like "krbtgt/MYKDCREALM@FOREIGNREALM," but I don't see a need to spell
that out.