Re: [kitten] Options for IAKERB compatibility issue
Greg Hudson <ghudson@MIT.EDU> Tue, 07 May 2013 18:38 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A1F821F908B for <kitten@ietfa.amsl.com>; Tue, 7 May 2013 11:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.524
X-Spam-Level:
X-Spam-Status: No, score=-3.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVgY2zE6XKf7 for <kitten@ietfa.amsl.com>; Tue, 7 May 2013 11:38:31 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (DMZ-MAILSEC-SCANNER-4.MIT.EDU [18.9.25.15]) by ietfa.amsl.com (Postfix) with ESMTP id 7037721F8C1A for <kitten@ietf.org>; Tue, 7 May 2013 11:38:31 -0700 (PDT)
X-AuditID: 1209190f-b7f256d000005616-d0-51894a267283
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 66.57.22038.62A49815; Tue, 7 May 2013 14:38:30 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id r47IcTmJ031424 for <kitten@ietf.org>; Tue, 7 May 2013 14:38:30 -0400
Received: from [18.189.54.192] ([18.189.54.192]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id r47IcSRN008906 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <kitten@ietf.org>; Tue, 7 May 2013 14:38:29 -0400
Message-ID: <51894A24.7000507@mit.edu>
Date: Tue, 07 May 2013 14:38:28 -0400
From: Greg Hudson <ghudson@MIT.EDU>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130404 Thunderbird/17.0.5
MIME-Version: 1.0
To: kitten@ietf.org
References: <x7d4neg555c.fsf@equal-rites.mit.edu> <4969FAFD-094B-4774-B3B9-9B611FBF821A@kth.se> <518944F0.8050504@mit.edu>
In-Reply-To: <518944F0.8050504@mit.edu>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixG6noqvm1RlosKtPyuLo5lUsDoweS5b8 ZApgjOKySUnNySxLLdK3S+DKmHVzCUvBOo6Knr2/2RsYb7J1MXJySAiYSLx/t50VwhaTuHBv PVhcSGAfo8TM9SpdjFxA9jFGiUvHtrJCOIeYJKa8f8cCUsUroCbxr30XM4jNIqAqsW0TxCQ2 AWWJg2e/gdWICoRInP7cxAxRLyhxcuYTsLiIgLDE7q3vgOIcHMICNhIfpiRCLK6SOH6wnQkk zCmgLnHsZyTEbZISi6Z1gnUyC+hIvOt7wAxhy0tsfzuHeQKj4CwkC2YhKZuFpGwBI/MqRtmU 3Crd3MTMnOLUZN3i5MS8vNQiXRO93MwSvdSU0k2MoEDllOTfwfjtoNIhRgEORiUe3gccnYFC rIllxZW5hxglOZiURHnT3IFCfEn5KZUZicUZ8UWlOanFhxglOJiVRHiFFIByvCmJlVWpRfkw KWkOFiVx3qspN/2FBNITS1KzU1MLUotgsjIcHEoSvBKeQI2CRanpqRVpmTklCGkmDk6Q4TxA w8U9QIYXFyTmFmemQ+RPMSpKifPKgTQLgCQySvPgemGJ5BWjONArwry8IFU8wCQE1/0KaDAT 0OAEvnaQwSWJCCmpBsbUdfaVdakXgfF8tNJY7MHyuufmd2quLTD5kezLaLviYMnHn+XPbjb1 bv354jhXYWBCifSj6z8kztZotLwPiD5XqeSYe3zSn1Ps9lecXAN/NDduFJPq6b0TdU7n5Dx1 9zdfDj6V/el05AevwrtjdXw+t/t5a40O9UWWX5STNrx+dY3Hw4MREUosxRmJhlrMRcWJABOo 6Of/AgAA
Subject: Re: [kitten] Options for IAKERB compatibility issue
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2013 18:38:38 -0000
I just realized that we can use the absence of framing to detect an MIT IAKERB implementation. This makes the problem much more tractable. So here is option 6 (a variation of option 1), which is my preferred option: 6. The main text of the standard stays as-is. We add an appendix describing how to be compatible with the current MIT implementation: - Process messages without framing after the first initiator token. - If you're the initiator and you see an unframed acceptor token, use the MIT variant of the finished extension in the AP-REQ checksum (extension type 1 and key usage 42). - If you're the acceptor, process either variant of the finished extension. If we go in this direction, the MIT implementation can change to generate framing on all tokens, send the standard variant of the finished extension in the AP-REQ checksum if it sees a framed acceptor token, and process either variant of the finished extension in the acceptor. Sorry I didn't realize this yesterday; I could have cut out a substantial amount of noise.
- [kitten] Options for IAKERB compatibility issue Greg Hudson
- Re: [kitten] Options for IAKERB compatibility iss… Nico Williams
- Re: [kitten] Options for IAKERB compatibility iss… Greg Hudson
- Re: [kitten] Options for IAKERB compatibility iss… Love Hörnquist Åstrand
- Re: [kitten] Options for IAKERB compatibility iss… Greg Hudson
- Re: [kitten] Options for IAKERB compatibility iss… Love Hörnquist Åstrand
- Re: [kitten] Options for IAKERB compatibility iss… Greg Hudson
- Re: [kitten] Options for IAKERB compatibility iss… Sam Hartman
- Re: [kitten] Options for IAKERB compatibility iss… Greg Hudson