Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos
Nico Williams <nico@cryptonector.com> Fri, 13 January 2023 19:19 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01FD4C15C52A for <kitten@ietfa.amsl.com>; Fri, 13 Jan 2023 11:19:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rprAGVCdPXxt for <kitten@ietfa.amsl.com>; Fri, 13 Jan 2023 11:18:58 -0800 (PST)
Received: from hedgehog.birch.relay.mailchannels.net (hedgehog.birch.relay.mailchannels.net [23.83.209.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3139DC15B278 for <kitten@ietf.org>; Fri, 13 Jan 2023 11:18:15 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 5A58782092E; Fri, 13 Jan 2023 19:18:15 +0000 (UTC)
Received: from pdx1-sub0-mail-a264.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id A405B820A60; Fri, 13 Jan 2023 19:18:14 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1673637494; a=rsa-sha256; cv=none; b=78bpxEwXwcCe7xFoQM7hvF8hdVUhgc0qdIOUzLPpD1keLVyW995QbiaY9qH58LzQlDWIa2 JXCIaDs3whaMhe1aTnaTulcRzYDKCZuCMLNYr8INYBonVk7i4GsZ5Yg8VmkkZFm+nxOH+H n8Ihoj74hWj9OaXrNf3x1Z2S59QHk3bXZmtyRpO1poGJP4QVqCgt+dMPaSc77QJfoNp+OV /cQh5NK1vKDICEETXmGgw3XCd2bxPJDllW8nwhDM+0T17R6UEIIyIh1zK+ueP16zLHYtSe 55bUEBdxA3ckOMPMktkIISr1OxY5lwG4r0OOjlrWKdpKuTCrdTZLttYieCKQ7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1673637494; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=WUQ7LuIMFdvRLurXeasJdkjbrnNepsIMvWtPssXzqDM=; b=bS2n8sc7iNu8Ac4KqMGSvQ9RRDoQd9B2Jox3eu6c2wEOF92GZYOOm6z41zLXdDnG5SYfzB 4vWVZThoFDTFsLoRlfuSozn/XVUvn/95n5p/GlzYlYeWwqKhzEKzUcsk573/ucZhP3X4AF Cx5sEobiPuFbT3KP/GbGiVU/TRzQoHPqQgYB2QxuLHHj2vZNJPm+YASJgDbOcpFUZCZn0Z QK6NY3f3bINHv7n6IL1deEzynVkTO23Lpr4rxozwo56oyzgyDB+um2RaybgpHCNMdchMOM Ng0+qgbZCHw9v0VHbicYx+TtnVb73ICd7JBBnTaidyV+os3B2wHpT/KwpwhYWg==
ARC-Authentication-Results: i=1; rspamd-6f569fcb69-pz4jf; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Duck-Sponge: 0b54a90c47ab9cd3_1673637495064_2626085266
X-MC-Loop-Signature: 1673637495064:4179357228
X-MC-Ingress-Time: 1673637495064
Received: from pdx1-sub0-mail-a264.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.116.179.96 (trex/6.7.1); Fri, 13 Jan 2023 19:18:15 +0000
Received: from gmail.com (cpe-66-25-27-1.tx.res.rr.com [66.25.27.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a264.dreamhost.com (Postfix) with ESMTPSA id 4NtrmP35fdz8T; Fri, 13 Jan 2023 11:18:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1673637494; bh=WUQ7LuIMFdvRLurXeasJdkjbrnNepsIMvWtPssXzqDM=; h=Date:From:To:Cc:Subject:Content-Type; b=U3E0Ib8r3bL6QHp6ILc9Xa+kaTcGznM5AWzhhPnZSoj8k5hFLqGt7Q65nhKWX6XdP XScfrhgbG7VlWXoOGntMiWBTw4Mp4iJNLIrKEcrfW2q4f8W32btYEjr5EU5ioPJPYn 6eONStQkkkMk1e/b4iWoumFVHUbZXD6qS33B/UL2652AIW80JwdUbmcwZaupR9Bh7R AVR38rN9devC17Yx0bNt4NPe68mCzPJaIIufXKFQHG8PxG64O6ij1PJpbt7DD+RMVH tP1c109v7DSSlBXIkX/yEx8mVPCtdabodrQTr37CBWNNdMCfgxJmfRhIX2Z+AjRzq6 VGJGVZOakG2wA==
Date: Fri, 13 Jan 2023 13:18:10 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
Cc: Greg Hudson <ghudson@mit.edu>, Olga Kornievskaia <aglo@umich.edu>, Luke Howard Bentata <lukeh=40padl.com@dmarc.ietf.org>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y8GuckCNiT93SsD4@gmail.com>
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com> <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com> <7B46A5A4-4415-4627-B964-44F2516D84FE@padl.com> <9464B1FF-6784-4D59-A4F6-1B5D58C2B94F@padl.com> <CAN-5tyE4eau116TkDLbvn+pTOjK_C+WEvi9SnUELr+4riTpZcw@mail.gmail.com> <cb3ff38f-7e62-0711-9a6c-50a96b571e2d@mit.edu> <CAN-5tyFA41VMz_3tBmh+FeefBBJOxfi1AoUCqUkRHR3z43qrKg@mail.gmail.com> <9bf334b8-cdde-b5a2-608f-6dbb4a353aa2@mit.edu> <Y8GnikmipD1G68HJ@gmail.com> <MW4PR21MB19701AC9F083BB5D58CEBA849CC29@MW4PR21MB1970.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MW4PR21MB19701AC9F083BB5D58CEBA849CC29@MW4PR21MB1970.namprd21.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ZckymdQWltN8NLcklKGcG771anQ>
Subject: Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2023 19:19:03 -0000
On Fri, Jan 13, 2023 at 07:05:22PM +0000, Steve Syfuhs (AP) wrote: > We've thrown around the idea of extending TLS 1.3 where Kerberos does > key agreement to produce PSKs. Could replace GSS with that... GSS-API is closer to DTLS (which isn't really a thing now, right?) because of its use of sequence numbers, while TLS enforces ordering, so a TLS 1.3 using AP-REQ as a session resumption ticket wouldn't be a complete replacement for RFC 4121's per-message tokens. Nico --
- [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Paul Miller (NT)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Ken Hornstein
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata