Re: [kitten] Verified authorization data

Peter Mogensen <apm@one.com> Wed, 11 June 2014 17:03 UTC

Message-ID: <53988BB6.8010409@one.com>
Date: Wed, 11 Jun 2014 19:02:46 +0200
From: Peter Mogensen <apm@one.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Simo Sorce <simo@redhat.com>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com> <5397328E.6020005@mit.edu> <539849AA.4000506@one.com> <1402503444.13617.1.camel@willson.usersys.redhat.com>
In-Reply-To: <1402503444.13617.1.camel@willson.usersys.redhat.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/fGY6HtjqJWzbNQgFOYH-rdKl5Yc
Cc: "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@MIT.EDU>
Subject: Re: [kitten] Verified authorization data
Precedence: list

On 2014-06-11 18:17, Simo Sorce wrote:
> On Wed, 2014-06-11 at 14:20 +0200, Peter Mogensen wrote:
>> The solution in AD-CAMMAC seems very complex too, requiring
>> effectively calculating the entire EncTicketPart twice - and once for
>> every present AD-CAMMAC present.
>
> I am confused about this statement. The AD-CAMMAC draft specifies that
> it contains a sequence of AD elements, that means you have only 1
> AD-CAMMAC for all the AD data you want to protect. You check the whole
> thing only once.

I were not sure whether you could rule out any use case requiring 
merging of 2 AD-CAMMAC elements with - say - different other-verifier 
checksums for which the KDC didn't have all the keys.
But I guess that since other-verifier restricts the principals to be in 
the KDC realm, that could not happen.

Still... the whole EncTicketPart has to be constructed and DER-encoded 
twice to add a kdc-verifier.

/Peter

[kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Thomas Hardjono
Re: [kitten] Token Preauth for Kerberos Greg Hudson
Re: [kitten] Token Preauth for Kerberos Nordgren, Bryce L -FS
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
[kitten] Verified authorization data Peter Mogensen
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Verified authorization data Simo Sorce
Re: [kitten] Verified authorization data Peter Mogensen
Re: [kitten] Verified authorization data Simo Sorce
Re: [kitten] Token Preauth for Kerberos Nathaniel McCallum
Re: [kitten] Verified authorization data Peter Mogensen
Re: [kitten] Verified authorization data Simo Sorce
Re: [kitten] Verified authorization data Peter Mogensen
Re: [kitten] Verified authorization data Simo Sorce
Re: [kitten] Verified authorization data Peter Mogensen
Re: [kitten] Verified authorization data Simo Sorce
Re: [kitten] Verified authorization data Peter Mogensen
Re: [kitten] Verified authorization data Simo Sorce
Re: [kitten] Token Preauth for Kerberos Simo Sorce
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Wang Weijun
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Simo Sorce
Re: [kitten] Token Preauth for Kerberos Dr. Greg Wettstein
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Simo Sorce
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Greg Hudson
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Benjamin Kaduk
Re: [kitten] Token Preauth for Kerberos Zheng, Kai