IETF Logo Mail Archive

Re: [kitten] Kerberos Service Discovery using DNS

Greg Hudson <ghudson@mit.edu> Wed, 11 March 2015 14:39 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C338A1ACDDA for <kitten@ietfa.amsl.com>; Wed, 11 Mar 2015 07:39:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_3dugcKBwNj for <kitten@ietfa.amsl.com>; Wed, 11 Mar 2015 07:39:47 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 202FE1ACDB6 for <kitten@ietf.org>; Wed, 11 Mar 2015 07:39:46 -0700 (PDT)
X-AuditID: 1209190e-f79bb6d0000030e8-aa-550053b156d8
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id F3.44.12520.1B350055; Wed, 11 Mar 2015 10:39:45 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t2BEdiO7019856; Wed, 11 Mar 2015 10:39:45 -0400
Received: from [18.101.8.239] (vpn-18-101-8-239.mit.edu [18.101.8.239]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2BEdghM013104 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 11 Mar 2015 10:39:43 -0400
Message-ID: <550053AE.2020701@mit.edu>
Date: Wed, 11 Mar 2015 10:39:42 -0400
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Rick van Rein <rick@openfortress.nl>, Nathaniel McCallum <npmccallum@redhat.com>
References: <1425578271.2715.5.camel@redhat.com> <2CB0CE49-2109-4666-9FFA-33538244E84E@openfortress.nl> <1426025143.16339.10.camel@redhat.com> <C8C3D9F0-5D74-493C-A75A-60AD5B765662@openfortress.nl>
In-Reply-To: <C8C3D9F0-5D74-493C-A75A-60AD5B765662@openfortress.nl>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileLIzCtJLcpLzFFi42IRYrdT190YzBBqsPewvsXRzatYLOZ+ncVq 8fTVPTYHZo8lS34yeWz418Tm8X7fVbYA5igum5TUnMyy1CJ9uwSujJ3TZjIX7OesuPQ5pYHx DnsXIyeHhICJRO/9qVC2mMSFe+vZuhi5OIQEFjNJbDjXygrhbGSU2DvvODuEc4RJ4sWxC2At vAJqEmt2LmLuYuTgYBFQlfi00BkkzCagLLF+/1YWEFtUIExi9rqLjBDlghInZz4Bi4sIxEps vvUfLM4sICxxYfteVhBbWMBKYvPGJYwQu44ySqya+QGsiFPAWeLuyvVMEA3qEn/mXWKGsOUl mrfOZp7AKDgLyY5ZSMpmISlbwMi8ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdYLzezRC81pXQT IyioOSX5djB+Pah0iFGAg1GJh3fGrP8hQqyJZcWVuYcYJTmYlER5l/kxhArxJeWnVGYkFmfE F5XmpBYfYpTgYFYS4d0RCJTjTUmsrEotyodJSXOwKInzbvrBFyIkkJ5YkpqdmlqQWgSTleHg UJLg1QoCahQsSk1PrUjLzClBSDNxcIIM5wEazgpSw1tckJhbnJkOkT/FqCglzssGkhAASWSU 5sH1wpLOK0ZxoFeEeS1AqniACQuu+xXQYCagwSzWQE/yFpckIqSkGhhnJ1x87K248YA177IT J+/Oyys0Wuy111JRmUOpK4tDf7PH+5Ab+2tuCF98Z7l7yyKhbYvOsbmv4NHn3Pyj7VJeksTl MPWn0WLff7ZO1TL96qmfVrXERj6/0lty08naOSvetngXzPc6YbX048sncZPN12ssNd0aLixy 5vS+4IYpK1QnnhC4u+qvEktxRqKhFnNRcSIACUcqgBUDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/eWrCXUwMXWQU0tnPuWZYNRht2_Y>
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos Service Discovery using DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 14:39:48 -0000

On 03/11/2015 05:25 AM, Rick van Rein wrote:
> SRV records point to a hostname, not an IP address.  This hostname
> is then acceptable for certificates in many protocols — but I’m not
> sure if that applies to the KDC’s certificates for PKINIT as well.

RFC 4556 requires that the KDC certificate contain a SAN of type
id-pkinit-san whose value is the TGT principal name for the realm, and
also an extended key usage value of id-pkinit-KPKdc.

The above applies "unless the client knows by some other means that the
KDC certificate is intended for a Kerberos KDC," and generally client
implementations do provide a way to use a standard SSL server cert for
the KDC with appropriate configuration.  In MIT krb5, the client must
have the valid PKINIT cert hostnames for the realm explicitly configured
in krb5.conf for this option; we do not pay any attention to the
hostname from the transport lookup.

I wouldn't object to security considerations language to make it
explicit that an unauthenticated transport hostname MUST NOT be used to
validate a PKINIT certificate (and maybe that a DNSSEC-authenticated
transport hostname SHOULD NOT be used), but I don't know that it is
necessary.

v2.23.0 | Report a Bug | By Email