IETF Logo Mail Archive

Consensus call was Re: Comments on draft-ietf-kitten-krb5-gssapi-prf-03.txt

Jeffrey Altman <jaltman@columbia.edu> Wed, 25 May 2005 15:00 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DaxMZ-0000Ji-UO; Wed, 25 May 2005 11:00:03 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DaxMY-0000J9-5C for kitten@megatron.ietf.org; Wed, 25 May 2005 11:00:02 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA19152 for <kitten@ietf.org>; Wed, 25 May 2005 11:00:00 -0400 (EDT)
Received: from serrano.cc.columbia.edu ([128.59.29.6] ident=cu41754) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Daxew-0008FA-Ev for kitten@ietf.org; Wed, 25 May 2005 11:19:03 -0400
Received: from [192.168.1.11] (cpe-68-175-91-105.nyc.res.rr.com [68.175.91.105]) (user=jaltman mech=PLAIN bits=0) by serrano.cc.columbia.edu (8.13.0/8.13.0) with ESMTP id j4PExvda020857 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <kitten@ietf.org>; Wed, 25 May 2005 10:59:57 -0400 (EDT)
Message-ID: <429493A6.2040708@columbia.edu>
Date: Wed, 25 May 2005 11:03:02 -0400
From: Jeffrey Altman <jaltman@columbia.edu>
Organization: No Longer Affiliated with Columbia University in the City of New York
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: kitten@ietf.org
References: <7210B31550AC934A8637D6619739CE690534F6FB@e2k-sea-xch2.sea-alpha.cisco.com>
In-Reply-To: <7210B31550AC934A8637D6619739CE690534F6FB@e2k-sea-xch2.sea-alpha.cisco.com>
X-Enigmail-Version: 0.91.0.0
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.48 on 128.59.29.6
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 287c806b254c6353fcb09ee0e53bbc5e
Cc:
Subject: Consensus call was Re: Comments on draft-ietf-kitten-krb5-gssapi-prf-03.txt
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0495594550=="
Sender: kitten-bounces@lists.ietf.org
Errors-To: kitten-bounces@lists.ietf.org

Actually, the question I raised was on the krb5 prf draft since that is
where the current text is located.  I would like a consensus call on the
following questions.

(1) Add this text to the security considerations section of the
    general prf draft:

Pseudorandom functions by their nature are capable of producing only
limited amounts of cryptographically secure output. The exact amount of
output that one can safely use, unfortunately varies from one PRF to
another (which prevents us from recommending specific numbers). Because
of this, we recommend that unless you really know what you are doing
(i.e. you are a cryptographer and are qualified to pass judgement on
cryptographic functions in areas of period, presence of short cycles,
etc), you limit the amount of the PRF output used to the necessary minimum.

(2) Remove from the security consideration section of the krb5 prf
    draft:

Care should be taken not to exceed the useful lifetime of an
established security context's session key's useful lifetime as
implementations are not required to prevent overuse of the
GSS_Pseudo_random() function.  This can effectively be achieved by
limiting the number of GSS_Pseudo_random() calls to, say, a handful
of calls per-security context.

Jeffrey Altman


Salowey, Joe wrote:
> It seems that this text and discussion really belongs in
> draft-ietf-kitten-gssapi-prf since the concerns are not Kerberos
> mechanism specific.  
>  
> Joe

_______________________________________________
Kitten mailing list
Kitten@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email