Re: [kitten] Kerberos Service Discovery using DNS
Greg Hudson <ghudson@mit.edu> Wed, 11 March 2015 14:39 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C338A1ACDDA for <kitten@ietfa.amsl.com>; Wed, 11 Mar 2015 07:39:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_3dugcKBwNj for <kitten@ietfa.amsl.com>; Wed, 11 Mar 2015 07:39:47 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 202FE1ACDB6 for <kitten@ietf.org>; Wed, 11 Mar 2015 07:39:46 -0700 (PDT)
X-AuditID: 1209190e-f79bb6d0000030e8-aa-550053b156d8
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id F3.44.12520.1B350055; Wed, 11 Mar 2015 10:39:45 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t2BEdiO7019856; Wed, 11 Mar 2015 10:39:45 -0400
Received: from [18.101.8.239] (vpn-18-101-8-239.mit.edu [18.101.8.239]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2BEdghM013104 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 11 Mar 2015 10:39:43 -0400
Message-ID: <550053AE.2020701@mit.edu>
Date: Wed, 11 Mar 2015 10:39:42 -0400
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Rick van Rein <rick@openfortress.nl>, Nathaniel McCallum <npmccallum@redhat.com>
References: <1425578271.2715.5.camel@redhat.com> <2CB0CE49-2109-4666-9FFA-33538244E84E@openfortress.nl> <1426025143.16339.10.camel@redhat.com> <C8C3D9F0-5D74-493C-A75A-60AD5B765662@openfortress.nl>
In-Reply-To: <C8C3D9F0-5D74-493C-A75A-60AD5B765662@openfortress.nl>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileLIzCtJLcpLzFFi42IRYrdT190YzBBqsPewvsXRzatYLOZ+ncVq 8fTVPTYHZo8lS34yeWz418Tm8X7fVbYA5igum5TUnMyy1CJ9uwSujJ3TZjIX7OesuPQ5pYHx DnsXIyeHhICJRO/9qVC2mMSFe+vZuhi5OIQEFjNJbDjXygrhbGSU2DvvODuEc4RJ4sWxC2At vAJqEmt2LmLuYuTgYBFQlfi00BkkzCagLLF+/1YWEFtUIExi9rqLjBDlghInZz4Bi4sIxEps vvUfLM4sICxxYfteVhBbWMBKYvPGJYwQu44ySqya+QGsiFPAWeLuyvVMEA3qEn/mXWKGsOUl mrfOZp7AKDgLyY5ZSMpmISlbwMi8ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdYLzezRC81pXQT IyioOSX5djB+Pah0iFGAg1GJh3fGrP8hQqyJZcWVuYcYJTmYlER5l/kxhArxJeWnVGYkFmfE F5XmpBYfYpTgYFYS4d0RCJTjTUmsrEotyodJSXOwKInzbvrBFyIkkJ5YkpqdmlqQWgSTleHg UJLg1QoCahQsSk1PrUjLzClBSDNxcIIM5wEazgpSw1tckJhbnJkOkT/FqCglzssGkhAASWSU 5sH1wpLOK0ZxoFeEeS1AqniACQuu+xXQYCagwSzWQE/yFpckIqSkGhhnJ1x87K248YA177IT J+/Oyys0Wuy111JRmUOpK4tDf7PH+5Ab+2tuCF98Z7l7yyKhbYvOsbmv4NHn3Pyj7VJeksTl MPWn0WLff7ZO1TL96qmfVrXERj6/0lty08naOSvetngXzPc6YbX048sncZPN12ssNd0aLixy 5vS+4IYpK1QnnhC4u+qvEktxRqKhFnNRcSIACUcqgBUDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/eWrCXUwMXWQU0tnPuWZYNRht2_Y>
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos Service Discovery using DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 14:39:48 -0000
On 03/11/2015 05:25 AM, Rick van Rein wrote: > SRV records point to a hostname, not an IP address. This hostname > is then acceptable for certificates in many protocols — but I’m not > sure if that applies to the KDC’s certificates for PKINIT as well. RFC 4556 requires that the KDC certificate contain a SAN of type id-pkinit-san whose value is the TGT principal name for the realm, and also an extended key usage value of id-pkinit-KPKdc. The above applies "unless the client knows by some other means that the KDC certificate is intended for a Kerberos KDC," and generally client implementations do provide a way to use a standard SSL server cert for the KDC with appropriate configuration. In MIT krb5, the client must have the valid PKINIT cert hostnames for the realm explicitly configured in krb5.conf for this option; we do not pay any attention to the hostname from the transport lookup. I wouldn't object to security considerations language to make it explicit that an unauthenticated transport hostname MUST NOT be used to validate a PKINIT certificate (and maybe that a DNSSEC-authenticated transport hostname SHOULD NOT be used), but I don't know that it is necessary.
- Re: [kitten] Kerberos Service Discovery using DNS Petr Spacek
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Greg Hudson
- Re: [kitten] Kerberos Service Discovery using DNS Petr Spacek
- [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Greg Hudson
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Simo Sorce
- Re: [kitten] Kerberos Service Discovery using DNS Nico Williams
- Re: [kitten] Kerberos Service Discovery using DNS Rick van Rein
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Rick van Rein
- Re: [kitten] Kerberos Service Discovery using DNS Greg Hudson
- Re: [kitten] Kerberos Service Discovery using DNS Rick van Rein
- Re: [kitten] Kerberos Service Discovery using DNS Viktor Dukhovni
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Benjamin Kaduk
- Re: [kitten] Kerberos Service Discovery using DNS Benjamin Kaduk
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Greg Hudson
- Re: [kitten] Kerberos Service Discovery using DNS Benjamin Kaduk
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Jeffrey Altman