Re: [kitten] Any Interest in a Key Delivery Service?
Jeffrey Altman <jaltman@secure-endpoints.com> Thu, 14 September 2017 13:04 UTC
Return-Path: <prvs=1430f7b518=jaltman@secure-endpoints.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24779133010 for <kitten@ietfa.amsl.com>; Thu, 14 Sep 2017 06:04:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=secure-endpoints.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MuWdSCz-jdyj for <kitten@ietfa.amsl.com>; Thu, 14 Sep 2017 06:04:09 -0700 (PDT)
Received: from sequoia-grove.secure-endpoints.com (sequoia-grove.ad.secure-endpoints.com [208.125.0.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D835412008A for <kitten@ietf.org>; Thu, 14 Sep 2017 06:04:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=secure-endpoints.com; s=MDaemon; t=1505394221; x=1505999021; i=jaltman@secure-endpoints.com; q=dns/txt; h=VBR-Info:Subject:To: References:From:Openpgp:Organization:Message-ID:Date:User-Agent: MIME-Version:In-Reply-To:Content-Type; bh=93GdJp4FYL/JHRa+k0y0pA eBDBQyoi8/rqm4S0KCaEI=; b=IHkL+A58c1tofYbc+s5bXwj/3A5rencwNGu960 39ctKf0fBCWwarL4aQ7K1YQz4hu21QHzZjxH+wRwtMGdrqnFulqUzCHvpgkXc9Or bTbx4vvBJ+EvkFKfXfbBDrEyboHveNMmpGe+CJG9UthNHaQcRt95wX+u/Sq8ZNQj g6eFU=
X-MDAV-Result: clean
X-MDAV-Processed: sequoia-grove.secure-endpoints.com, Thu, 14 Sep 2017 09:03:41 -0400
X-Spam-Processed: sequoia-grove.secure-endpoints.com, Thu, 14 Sep 2017 09:03:40 -0400
Received: from [IPv6:2001:470:1f07:f77:717d:782b:3f80:9600] by secure-endpoints.com (IPv6:2001:470:1f07:f77:28d9:68fb:855d:c2a5) (MDaemon PRO v17.5.0rc2) with ESMTPSA id md50001422205.msg; Thu, 14 Sep 2017 09:03:39 -0400
VBR-Info: md=secure-endpoints.com; mc=all; mv=vbr.emailcertification.org;
X-MDRemoteIP: 2001:470:1f07:f77:717d:782b:3f80:9600
X-MDHelo: [IPv6:2001:470:1f07:f77:717d:782b:3f80:9600]
X-MDArrival-Date: Thu, 14 Sep 2017 09:03:39 -0400
X-Authenticated-Sender: jaltman@secure-endpoints.com
X-Return-Path: prvs=1430f7b518=jaltman@secure-endpoints.com
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kitten@ietf.org
X-CAV-Result: clean
To: kitten@ietf.org
References: <2FB98F5F-3981-4EFF-8CFF-FF6B5B3D485C@oxy.edu> <20170913013057.B1BEE8E632@pb-smtp2.pobox.com> <20170914011724.GN96685@kduck.kaduk.org> <20170914020232.C6D85A2791@pb-smtp2.pobox.com>
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Openpgp: id=FA444AF197F449B24CF3E699F77A735592B69A04; url=https://pgp.mit.edu
Organization: Secure Endpoints Inc.
Message-ID: <78b69dc8-c7cc-47af-bbc9-ffb13909927e@secure-endpoints.com>
Date: Thu, 14 Sep 2017 09:03:36 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <20170914020232.C6D85A2791@pb-smtp2.pobox.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms070801020507000904070602"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/aO2etvlpcVmBK-spSWR1ag25BxI>
Subject: Re: [kitten] Any Interest in a Key Delivery Service?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 13:04:11 -0000
On 9/13/2017 10:02 PM, Ken Hornstein wrote: > Right, that was what I was suggesting. You can find the KMIP specification > here: > > http:/docs.oasis-open.org/kmip/spec/v1.2/kmip-spec-v1.2.html > > If you look at section 2.1.2, they have a BRIEF mention of Kerberos > where it talks about the Credential structure. But it's not clear to me > at first glance if there is a spot in the protocol for an AP-REP, much > less a potentially-unlimited series of round trips that you could get > via GSSAPI. I only mentioned KMIP because that is a protocol designed > to generate, store, and retrieve keys for use in EXACTLY the situation > originally mentioned (it is big in the data at rest world). It might be > more fruitful to try to adapt KMIP to your needs rather than shoehorn > the KDC into that role. > > --Ken As far as I can tell, before GSS-API or Kerberos could be used to authenticate to a KMIP service, TLS would need to be updated to support Kerberos authentication. At the moment, KMIP requires TLS 1.2. See http://docs.oasis-open.org/kmip/profiles/v1.2/os/kmip-profiles-v1.2-os.html Alternatively, a new GSS-API protected network protocol could be developed as a front-end to the KMIP store. For example, an RXGK protected RX RPC service would be interesting. Jeffrey Altman
- [kitten] Any Interest in a Key Delivery Service? Henry B (Hank) Hotz, CISSP
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein
- Re: [kitten] Any Interest in a Key Delivery Servi… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein
- Re: [kitten] Any Interest in a Key Delivery Servi… Benjamin Kaduk
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein
- Re: [kitten] Any Interest in a Key Delivery Servi… Jeffrey Altman
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein