IETF Logo Mail Archive

[kitten] Comments on draft-ietf-kitten-iakerb-01

Greg Hudson <ghudson@MIT.EDU> Sun, 16 February 2014 17:14 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6225E1A00F2 for <kitten@ietfa.amsl.com>; Sun, 16 Feb 2014 09:14:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.149
X-Spam-Level:
X-Spam-Status: No, score=-3.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2H57FRxCfp66 for <kitten@ietfa.amsl.com>; Sun, 16 Feb 2014 09:14:52 -0800 (PST)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id D8CD81A0016 for <kitten@ietf.org>; Sun, 16 Feb 2014 09:14:51 -0800 (PST)
X-AuditID: 12074422-f79526d000000c47-9b-5300f2095faf
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 38.16.03143.902F0035; Sun, 16 Feb 2014 12:14:49 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id s1GHEmQQ024210 for <kitten@ietf.org>; Sun, 16 Feb 2014 12:14:49 -0500
Received: from localhost (equal-rites.mit.edu [18.18.1.59]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s1GHElCR019627 for <kitten@ietf.org>; Sun, 16 Feb 2014 12:14:48 -0500
From: Greg Hudson <ghudson@MIT.EDU>
To: kitten@ietf.org
Date: Sun, 16 Feb 2014 12:14:26 -0500
Message-ID: <x7deh332d59.fsf@equal-rites.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGIsWRmVeSWpSXmKPExsUixG6nosv5iSHYYO0mWYujm1exODB6LFny kymAMYrLJiU1J7MstUjfLoEro/v8VraCdaIVh1ecZ2lgfCDQxcjJISFgIjHtcgsThC0mceHe erYuRi4OIYHZTBIT3p5mgnCOM0q8+vIXKtPBJHF3x1oWkBY2AWWJg2e/gdkiAsISu7e+Ywax hQUMJN6+mcfaxcjBwSKgKrGy3RQkzCtgKPHn5i1WCFtQ4uTMJ2CtzAJaEjf+vWSawMgzC0lq FpLUAkamVYyyKblVurmJmTnFqcm6xcmJeXmpRbqmermZJXqpKaWbGMHB4aK0g/HnQaVDjAIc jEo8vAvTGIKFWBPLiitzDzFKcjApifLeeQ8U4kvKT6nMSCzOiC8qzUktPsQowcGsJMLLfQco x5uSWFmVWpQPk5LmYFES5621+BUkJJCeWJKanZpakFoEk5Xh4FCS4I34CNQoWJSanlqRlplT gpBm4uAEGc4DNLz5A8jw4oLE3OLMdIj8KUZFKXHeBSAJAZBERmkeXC8sel8xigO9Isy7EqSK Bxj5cN2vgAYzAQ1edfpvENDgkkSElFQDY8aMGpMfcwsSXme+rpwyL+5DyY3ixCUCyjdSP5Wf qUhcO6/82xNfi7awzIX1F95Lf9yie5bto6jDYc0g9VKeGdO/XTx46qFssNlV37cfiq5tOVnx LVKA8+q0N4WtysoLmM16QjxkzimrW5hUn915br10GVPOv+/LRSyyjs48Jub1zFnauXzjCyWW 4oxEQy3mouJEAKP8uFC5AgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/aUmrdsAXckoNBootCqDR9Csyhrs
Subject: [kitten] Comments on draft-ietf-kitten-iakerb-01
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Feb 2014 17:14:54 -0000

Content comments:

> Exts field in the GSS-API authenticator [RFC6542] MUST contain an
> extension of the type GSS_EXTS_IAKERB_FINISHED

The rest of the draft uses GSS_EXTS_FINISHED.

> and the extension data contains the ASN.1 DER encoding of the
> structure IAKERB-FINISHED.

The rest of the draft uses KRB-FINISHED.

> Initiators behave as follows:
>
> o  If the acceptor token is framed, then use the protocol as defined
>    above.

I suggest:

  o  If the first acceptor token begins with generic token framing as
     described in section 3.1 of [RFC 2743], then use the protocol as
     defined in this document.

> o  Else

I suggest:

  o  If the first acceptor token is missing the generic token framing
     (i.e. the token begins with the two-byte token ID 05 01), then

>    *  All future tokens sent to the acceptor are to be unframed.

This bullet is unnecessary and should be removed.  All versions of the
MIT IAKERB acceptor will process framed messages, as I said here:

  http://www.ietf.org/mail-archive/web/kitten/current/msg03993.html

> Acceptors behave as follows:
>
> o  If you framed the response token, use the finish extension
>    processing defined in the main document.
>
> o  If you did not frame the response token, use the finish extension
>    processing defined in the previous paragraph.

This doesn't provide useful advice for interoperating with an MIT
initiator, as a standard acceptor will always frame the response token.
I suggest:

  Acceptors behave as follows:

  o  If the AP-REQ authenticator contains an extension of type 1
     containing a KRB-FINISHED message, then process the extension as if
     it were of type GSS_EXTS_FINISHED, except with a key usage of
     KEY_USAGE_IAKERB_FINISHED (42) instead of KEY_USAGE_FINISHED (41).

Editorial comments (only on the new text):

> MIT implemented an earlier draft of this specification, details on how
> to inter operate with that implementation can be found in Appendix A.

This is a run-on sentence.  Using a semicolon instead of a comma would
fix it.

> pnp The gss-mic field in the KRB-FINISHED structure contains

There is a stray "pnp" at the beginning here.

> concatenated in chronological order (note that GSS-API context token
> exchanges are synchronous.)

The period should be outside the parens, or the parenthetical should be
a separate sentence (in which case the period stays inside the parens).

> MIT implemented an early draft version of this document, this section
> gives a method for detecting and interoperating with that version.

This is another run-on sentence.  It's probably best to split it into
two sentences at the comma.

v2.23.0 | Report a Bug | By Email