Re: [kitten] draft-ietf-kitten-cammac kdc-verifier omission

Greg Hudson <> Thu, 12 February 2015 21:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7CD011A1A39 for <>; Thu, 12 Feb 2015 13:21:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id j5RlJ20pQ-OS for <>; Thu, 12 Feb 2015 13:21:26 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 644671A1A12 for <>; Thu, 12 Feb 2015 13:21:26 -0800 (PST)
X-AuditID: 1209190d-f792d6d000001fc7-1b-54dd1955283f
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 8B.F6.08135.5591DD45; Thu, 12 Feb 2015 16:21:25 -0500 (EST)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id t1CLLJJm026248; Thu, 12 Feb 2015 16:21:19 -0500
Received: from [] ( []) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id t1CLLHiQ003065 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 12 Feb 2015 16:21:19 -0500
Message-ID: <>
Date: Thu, 12 Feb 2015 16:21:17 -0500
From: Greg Hudson <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Benjamin Kaduk <>
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrHIsWRmVeSWpSXmKPExsUixG6nrhsqeTfE4Ms0IYujm1exODB6LFny kymAMYrLJiU1J7MstUjfLoEro/HwP5aCRs6KxUffsjcwrmXvYuTkkBAwkVjStIEFwhaTuHBv PRuILSSwmEliY1diFyMXkL2RUWL1gR5WCOcIk0TLtGZWkCpeATWJP9PfgtksAqoS929PB+tm E1CWWL9/K9hUUYEwie+bdzBD1AtKnJz5BCwuIqAksfhsC1g9s4CwxIXte8HmCAu4SBx48IIR 4oo0iRe3P4NdyingKNG97DtUvZ7Ejuu/WCFseYnmrbOZJzAKzkKyYhaSsllIyhYwMq9ilE3J rdLNTczMKU5N1i1OTszLSy3SNdLLzSzRS00p3cQIClZOSd4djO8OKh1iFOBgVOLhDTC+EyLE mlhWXJl7iFGSg0lJlLed726IEF9SfkplRmJxRnxRaU5q8SFGCQ5mJRFe9Y9A5bwpiZVVqUX5 MClpDhYlcd5NP/hChATSE0tSs1NTC1KLYLIyHBxKErxGEkBDBYtS01Mr0jJzShDSTBycIMN5 gIa/Fgeq4S0uSMwtzkyHyJ9iVJQS5/0HkhAASWSU5sH1wpLJK0ZxoFeEeXNAVvAAExFc9yug wUxAgyfOuA0yuCQRISXVwOjr8HGL3/aumo02cd2zzlWzelx31+MXu5R/UXd7//2KxXIH7jfs WLIw2z3Kyfrbu2ebX7Aalm9d7xgVZJlX8vfjb/O0qsktpveDjFZemXFyr95v/R1GE7x9LFPs dU2S59tK/o55aVl7VHXq1y0PfNdpbY998VWyTVC0Z8qT0p1uqWf7QhSqopRYijMSDbWYi4oT Aa1394ABAwAA
Archived-At: <>
Subject: Re: [kitten] draft-ietf-kitten-cammac kdc-verifier omission
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Feb 2015 21:21:29 -0000

On 02/12/2015 01:47 PM, Benjamin Kaduk wrote:
> Do you want to come up with a concrete proposal for new text?

Sure.  In section 8 (Security Considerations), replace "two exceptions"
with "three exceptions," and add a third item to the list:

3. If the ticket server principal is a cross-realm TGS from a different
realm, the CAMMAC's kdc-verifier cannot be validated because the
checksum was made using the other realm's local TGS key.  If the
CAMMAC's svc-verifier is valid, the CAMMAC contents can be safely
assumed to have originated from the other realm.  The KDC SHOULD NOT
blindly copy CAMMAC elements originating from another realm, but MAY
choose to filter, transform, and propagate elements according to policy
rules, and MAY place a kdc-verifier in the new CAMMAC containing the
resulting authorization data elements.

I use MUST NOT instead of SHOULD NOT because a KDC might be in a
subsidiary relationship to a higher-security realm.  By "cross-realm TGS
from a different realm," I mean an incoming cross-realm krbtgt principal
like "krbtgt/MYKDCREALM@FOREIGNREALM," but I don't see a need to spell
that out.