Re: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 20 December 2016 20:18 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6654A1299CE; Tue, 20 Dec 2016 12:18:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.401
X-Spam-Level:
X-Spam-Status: No, score=-7.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWKC55GvY0Nt; Tue, 20 Dec 2016 12:18:34 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF1BC1295FD; Tue, 20 Dec 2016 12:18:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 374E1BE51; Tue, 20 Dec 2016 20:18:30 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gzA6a4YyBHyG; Tue, 20 Dec 2016 20:18:28 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 5C7AEBE50; Tue, 20 Dec 2016 20:18:28 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1482265108; bh=DxQ3LrplUBnIebwUgpAL7+kBjSiA5WYm7uHHsqodjXM=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=j3Do23C3G0bcyTbiNnkYAmqtj1kIBAxF4dXrKKWqqI8BQbS+7mFVCzm6QjofmKPN4 y8aFK+bWlQBWR50bz8jSWR0T4pe1gaP24WatLyBmSTDu23qGirRTOJbTsG2Gy7ixMq gNQx6/4ax3cDn+LadPEAPsM/BaQmUN8lQPUbE7Lg=
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <148047251432.11670.13523989384092580597.idtracker@ietfa.amsl.com> <af355db2-c6f8-6a39-a2e2-f65cd0bea2d4@cs.tcd.ie> <CAHbuEH6J9aBbTeW6sO46a+OENRAnX1bXH56FYkjt71PO4vsrxA@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5367e5de-0d2b-3d92-1ded-17551685f14e@cs.tcd.ie>
Date: Tue, 20 Dec 2016 20:18:28 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <CAHbuEH6J9aBbTeW6sO46a+OENRAnX1bXH56FYkjt71PO4vsrxA@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms000006060905000402020805"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/asKnF00CORw493eRQeoHv-yJEzc>
Cc: mrogers@redhat.com, kitten@ietf.org, kitten-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-kitten-pkinit-freshness@ietf.org
Subject: Re: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2016 20:18:37 -0000
Hiya, On 20/12/16 19:43, Kathleen Moriarty wrote: > Hi Stephen, > > Thanks for digging into this. Inline. > > On Tue, Dec 20, 2016 at 11:58 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie >> wrote: > >> >> Hi Kathleen, Kitten-WG: >> >> I read the thread on this and I think a suggestion made >> on the kitten list [1] by Greg Hudson ought work to >> address the valid concern that a too-short or predictable >> freshness token could be abused. >> >> The suggestion was to add a new paragraph to the security >> considerations saying: >> >> "If freshness tokens sent by the KDC are too short or too >> predictable, an attacker may be able to defeat the mechanism >> by creating signatures using every possible token value. >> To prevent this attack, the freshness token SHOULD contain >> a minimum of 64 unpredictable bits." >> >> > Yes, that works for me, thanks. > Great. So are the authors/chairs/WG ok with adding that too? If nobody objects I'll add the RFC editor note tomorrow and we can go from there. (There'll still be plent of time for later objections if this is somehow a horrible thing, but I can't see how that'd be the case at all:-) All going well, Kathleen can clear her discuss then and we can give this one to the RFC editor as a very slightly early holiday present. Cheers, S. > >> If that works, I can add an RFC editor note to that effect >> or the authors can fire out a new draft. >> >> Greg also said: "I am willing to accept an amendment changing >> 64 to 96 or 128. It's a SHOULD, so it doesn't really constrain >> the implementation." And I agree that any of those numbers >> would likely be fine. >> >> So: >> >> Kathleen - do you think that'd be sufficient to resolve your >> discuss? If not, what would work? >> >> (If the above is good enough to get the discuss cleared, then >> I'll ask for opinions from the WG as to whether there are any >> issues with it. But please hold off for now until we see if >> Kathleen is ok with this resolution.) >> >> > Please let me know if the WG agrees or next steps. > > Thank you, > Kathleen > > >> Thanks, >> S. >> >> PS: Be nice to get this sorted before the holidays:-) >> >> [1] https://www.ietf.org/mail-archive/web/kitten/current/msg06199.html >> >> On 30/11/16 02:21, Kathleen Moriarty wrote: >>> Kathleen Moriarty has entered the following ballot position for >>> draft-ietf-kitten-pkinit-freshness-07: Discuss >>> >>> When responding, please keep the subject line intact and reply to all >>> email addresses included in the To and CC lines. (Feel free to cut this >>> introductory paragraph, however.) >>> >>> >>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria. >> html >>> for more information about IESG DISCUSS and COMMENT positions. >>> >>> >>> The document, along with other ballot positions, can be found here: >>> https://datatracker.ietf.org/doc/draft-ietf-kitten-pkinit-freshness/ >>> >>> >>> >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> Holding a discuss until the Gen-art conversation on minimum size of the >>> fressness token resolves. Will switch to a yes once that is resolved. >>> https://www.ietf.org/mail-archive/web/gen-art/current/msg13942.html >>> >>> >>> >>> >>> _______________________________________________ >>> Kitten mailing list >>> Kitten@ietf.org >>> https://www.ietf.org/mailman/listinfo/kitten >>> >> >> > >
- [kitten] Kathleen Moriarty's Discuss on draft-iet… Kathleen Moriarty
- Re: [kitten] Kathleen Moriarty's Discuss on draft… Stephen Farrell
- Re: [kitten] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty
- Re: [kitten] Kathleen Moriarty's Discuss on draft… Stephen Farrell
- Re: [kitten] Kathleen Moriarty's Discuss on draft… Michiko Short