Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
Rick van Rein <rick@openfortress.nl> Mon, 14 September 2015 15:41 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 830751B5843 for <kitten@ietfa.amsl.com>; Mon, 14 Sep 2015 08:41:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2sbfNhzNYkmK for <kitten@ietfa.amsl.com>; Mon, 14 Sep 2015 08:41:52 -0700 (PDT)
Received: from lb3-smtp-cloud2.xs4all.net (lb3-smtp-cloud2.xs4all.net [194.109.24.29]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 604FC1B5F68 for <kitten@ietf.org>; Mon, 14 Sep 2015 08:41:50 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud2.xs4all.net with ESMTP id H3hn1r00D10HQrX013hoEh; Mon, 14 Sep 2015 17:41:49 +0200
Message-ID: <55F6EAB9.8050407@openfortress.nl>
Date: Mon, 14 Sep 2015 17:41:45 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <55F686EA.30206@openfortress.nl> <20150914151115.GA13294@localhost>
In-Reply-To: <20150914151115.GA13294@localhost>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/fe4iJ4TEyQU0ruW34B_ouoHgw-Q>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2015 15:41:55 -0000
Hi Nico, Thanks! > Why call it KREALM if it can be used to find things other than Kerberos > realm names? It's realm descriptive information -- but if you have a better suggestion I'm listening. It's just what I came up with back then. > Why use this to find service names? The app knows the service name. Yes, in the particular use case of an app. I'm also playing around with use cases that involve service discovery. By the way, the app may lookup the service name as part of the DNS name that it queries, but that will then be case insensitive, so it may want to distinguish One from ONE and oNe. No, we don't do that yet, but for completeness sake, I think the ability to define a service name is a logical mirror image of what a realm name does. > and > finally, expecting "http@foo.example" in GSS to become > HTTP/foo.example@EXAMPLE in Kerberos would fail on older > implementations, thus why would one? I don't know what you are saying here; but can I assume the above dealt with it? > (For better or worse, GSS apps are now stuck using "HTTP" as the service > name for HTTP.) I would love to approach a realm and iterate over services, and discover that "imap" and "smtp" and "afs" were all there. Think of a blanc deskop, on which you login with kinit, only to have your mail and file storage automatically mounted :) And yes, that's all highly optional for the DNS admin... it's a use case that he may or may not want to support as far as I'm concerned. > (For things like MSFT SQL Server, a discoverable service name could > have been useful had the service name discovery process included the > service's port number as an input, but that's a very odd thing. Putting > the port number into the service name would have been plenty good enough > in actuality.) Hmm, ports and such are transport level issues... with KREALM I'm aiming at the level of authentication and principal names. > >> example.com. IN KREALM "realm" "EXAMPLE.COM" >> example.com. IN KREALM "admin" "john/admin@EXAMPLE.COM" >> example.com. IN KREALM "admin.uri" "http://www.example.com/contact.html" >> example.com. IN KREALM "admin.uri" >> "ldap://ldap.example.com/?cn=John+Smith,dc=example,dc=com" >> example.com. IN KREALM "admin.cert" "admcert.example.com." >> admcert.example.com. IN CERT ... > > I guess you meant TLSA? > No, CERT. If I want to contact a realm admin in person (yet another usecase) I want to have his credentials validated by DNSSEC under the DNS-mapped realm name. TLSA is wonderful stuff for KDC and mates, I'll grant you that! because those are protocols running on ports over some transport. > Is this really Kerberos-specific? The realm names are. The admin > principal names are (but would you list them all?) The rest doesn't > seem Kerberos-specific. If we think of realm names are "issuers" then > in a sense a new TLSA RR usage would fit the bill (though that might not > be useful for other reasons). Indeed, it's a bit more "soft soap" perhaps -- I want to contact a realm administrator (to talk about realm crossover, say) and would like to find contact information including security hints. That is a use case we can decide to like or dislike. >> Now, the question surfaces what use cases of KREALM records could >> exist. I've identified three or four: >> >> 1. Kerberos client (or his KDC) knows service name + hostname, and >> wants to find a realm name > > Sure. > >> 2. Kerberos node wants to find the case-sensitive realm name for a >> DNS name, in a secure manner > > I guess the difference between 1 and 2 is that the domainname in 2 might > not be a hostname? No, this is reversing the DNS-mapping for a DNS-styled realm name (i.e. ignoring its case and hereby getting it back). We could never do that in a secure manner and so it was never formalised. >> 3. Kerberos node wants to find automatic validation information for a >> realm administrator (principal name) > > Can you be more specific? Usually the node will just know this (e.g., > because the admin is providing their name at a prompt). I'm working on more extensive use cases. This one might help to get a remote service setup for under your realm, based on that fact that you are in charge as an admin. >> 4. Kerberos node wants to find manual contact information for a realm >> administrator (perhaps through a URI and/or CERT record with an >> X.509 or PGP certificate) > > This seems utterly generic, not Kerberos-specific. There might be many > contacts for different sub-systems (storage, cloud, this, that, > Kerberos). It is generic, and I think it should be and can be because manual handling is involved. Someone wants to email the admin and although general ideas are posted they have never been linked into use cases, which is what I am hereby proposing to do. Because I believe it is valuable to have mechanisms to find one another online in a secure manner. >> 5. (optional) Kerberos client wants to perform service discovery >> under a realm and/or at a DNS name > > But why not discover the service, then its realm (i.e., use-case 1). If > you know the realm a priori then there's no need to discover the realm > (unless it's to make sure the two match before going any further). > You may not know all the server names that you would need to discover. But yes, if you define those under your realm's DNS entry then this works. It's actually what I've also been moving towards. > ==== > > What if there are multiple realms/whatever defined? Either will do, as specified. If an app needs a realm, it has a few to try in this case. >> Based on these, I should be able to formulate the keys and search >> patterns for the data. I am aware that the keys will be vital for >> trust in the information found! >> >> If you have anything to add (or remove) then please let me know! > > If we drop the Kerberos-specificity, what then happens politically with > this proposal? Does this become a TXT replacement swiss knife that > suddenly requires more work to obtain consensus? It will be more difficult to make security assumptions from it. And it will be practically impossible to pass as a proposal I fear. Doing this for Kerberos alone is difficult enough as it stands. Unless Kitten wants to pick it up in that more general form, then things would be different. But Kerberos is the most obvious usecase that needs to learn realm names for (remote) services, especially when realm crossover is available and can reach a large number of realms. -Rick
- [kitten] Finding Kerberos Realm Descriptors in se… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Martin Rex
- Re: [kitten] Finding Kerberos Realm Descriptors i… Watson Ladd
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
- Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
- Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams