IETF Logo Mail Archive

Re: [kitten] PKCROSS and philosophical tangents...

"Nordgren, Bryce L -FS" <bnordgren@fs.fed.us> Fri, 31 January 2014 19:06 UTC

Return-Path: <bnordgren@fs.fed.us>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56C6C1A0286 for <kitten@ietfa.amsl.com>; Fri, 31 Jan 2014 11:06:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yHG68Ae6anwq for <kitten@ietfa.amsl.com>; Fri, 31 Jan 2014 11:06:18 -0800 (PST)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe005.messaging.microsoft.com [65.55.88.15]) by ietfa.amsl.com (Postfix) with ESMTP id 90C711A03F5 for <kitten@ietf.org>; Fri, 31 Jan 2014 11:06:17 -0800 (PST)
Received: from mail219-tx2-R.bigfish.com (10.9.14.252) by TX2EHSOBE001.bigfish.com (10.9.40.21) with Microsoft SMTP Server id 14.1.225.22; Fri, 31 Jan 2014 19:06:13 +0000
Received: from mail219-tx2 (localhost [127.0.0.1]) by mail219-tx2-R.bigfish.com (Postfix) with ESMTP id 82E50BC029C; Fri, 31 Jan 2014 19:06:13 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:199.135.140.16; KIP:(null); UIP:(null); IPV:NLI; H:mail.usda.gov; RD:none; EFVD:NLI
X-SpamScore: 2
X-BigFish: VPS2(zzd772hzz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h1f96jzzz2fh109h2a8h839h8e3h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1b2fh224fh1fb3h1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h21a6h2216h22d0h2336h2438h2461h2487h24d7h2516h1155h)
Received-SPF: pass (mail219-tx2: domain of fs.fed.us designates 199.135.140.16 as permitted sender) client-ip=199.135.140.16; envelope-from=bnordgren@fs.fed.us; helo=mail.usda.gov ; ail.usda.gov ;
Received: from mail219-tx2 (localhost.localdomain [127.0.0.1]) by mail219-tx2 (MessageSwitch) id 1391195161141997_23973; Fri, 31 Jan 2014 19:06:01 +0000 (UTC)
Received: from TX2EHSMHS040.bigfish.com (unknown [10.9.14.229]) by mail219-tx2.bigfish.com (Postfix) with ESMTP id 14D846005F; Fri, 31 Jan 2014 19:06:01 +0000 (UTC)
Received: from mail.usda.gov (199.135.140.16) by TX2EHSMHS040.bigfish.com (10.9.99.140) with Microsoft SMTP Server (TLS) id 14.16.227.3; Fri, 31 Jan 2014 19:05:58 +0000
Received: from 001FSN2MMR1-012.001f.mgd2.msft.net (199.135.140.59) by 001FSN2MMR1-006.001f.mgd2.msft.net (199.135.140.16) with Microsoft SMTP Server (TLS) id 14.3.174.2; Fri, 31 Jan 2014 19:05:57 +0000
Received: from 001FSN2MPN1-046.001f.mgd2.msft.net ([169.254.6.84]) by 001FSN2MMR1-012.001f.mgd2.msft.net ([199.135.140.59]) with mapi id 14.03.0174.002; Fri, 31 Jan 2014 19:05:57 +0000
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] PKCROSS and philosophical tangents...
Thread-Index: Ac8dF9EVVIDV+Fq6S8CZNUDcti9KcAANe5wAAAZh4HAAUWokAAAA0odg
Date: Fri, 31 Jan 2014 19:05:56 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E684319@001FSN2MPN1-046.001f.mgd2.msft.net>
References: <82E7C9A01FD0764CACDD35D10F5DFB6E683D80@001FSN2MPN1-046.001f.mgd2.msft.net> <201401311750.s0VHoV9a010086@hedwig.cmf.nrl.navy.mil>
In-Reply-To: <201401311750.s0VHoV9a010086@hedwig.cmf.nrl.navy.mil>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [170.144.68.135]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: fs.fed.us
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Subject: Re: [kitten] PKCROSS and philosophical tangents...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2014 19:06:20 -0000

Good to hear from someone who's done it. I haven't, so I mainly have questions instead of answers. Perhaps I should "briefback" my understanding of the motivation of PKCROSS by rephrasing the intro section:

Axiom: Successful large-scale Kerberos deployments authorize users to maintain their own authentication tokens. (e.g., I can change my own password)
Corollary: The lack of the ability for principals (KDC admins) to update their own tokens in a foreign KDC has inhibited the formation of Kerberos federations, and requires manual coordination between admins which is cumbersome and causes downtime.

In this light, I understand PKCROSS to be a means of automatically keying your KDC's credentials in a foreign system. However, it is unclear to me how these credentials get updated when they inevitably expire (or are stolen). Is that section TBD or am I just dense? I took the draft to say that the initial certificate must stay the same forever or else risk being rejected as a MITM attack. I'm willing to be persuaded, but I'm not quite seeing how the draft addresses the deficiencies it identifies.

PKCROSS to initially key your principal, plus a means to subsequently maintain the authentication tokens for your principal? Well, that addresses the problem statement.

It's possible that account maintenance could be facilitated with a series of recommendations and the corresponding security analyses. Expose your password-changing interface to the wide world and advertise which set of admin tools (MIT/heimdal/MS) are compatible? Stand up a web app which lets you log in and manage your credentials? Extend the base standard with a  "principal management" message exchange? Dunno. It's probably important to specify that sites wishing to support federation SHOULD do certain things, one of which is to ensure that offsite (outside firewall), non-home-realm principals have the means to manage their credentials.


> I looked at the papers you posted; they seem interesting, but if the goal is to
> use one of those systems to get a Kerberos TGT ... well, I'd wonder what the
> advantage would be compared to one of the existing systems.

My purpose in bringing up those papers was not so much to propose a means of getting a TGT as to ask about alternative means of trust evaluation for the CA which signed the foreign KDCs certificate. Does the standard need to specify how trust is evaluated? Should it narrow the field to a handful of identifiable algorithms? Should it start simple but allow for growth?

Thanks for your time!
Bryce






This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

v2.30.2 | Report a Bug | By Email | System Status