IETF Logo Mail Archive

Re: [kitten] Token Preauth for Kerberos

"Zheng, Kai" <kai.zheng@intel.com> Wed, 09 July 2014 01:49 UTC

Return-Path: <kai.zheng@intel.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BAFC1A0240 for <kitten@ietfa.amsl.com>; Tue, 8 Jul 2014 18:49:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.552
X-Spam-Level:
X-Spam-Status: No, score=-7.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hKQacyZKMO5f for <kitten@ietfa.amsl.com>; Tue, 8 Jul 2014 18:49:57 -0700 (PDT)
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by ietfa.amsl.com (Postfix) with ESMTP id 597A71A023E for <kitten@ietf.org>; Tue, 8 Jul 2014 18:49:57 -0700 (PDT)
Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga101.jf.intel.com with ESMTP; 08 Jul 2014 18:49:57 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.01,630,1400050800"; d="scan'208";a="570287772"
Received: from fmsmsx104.amr.corp.intel.com ([10.19.9.35]) by orsmga002.jf.intel.com with ESMTP; 08 Jul 2014 18:49:56 -0700
Received: from fmsmsx113.amr.corp.intel.com (10.18.116.7) by FMSMSX104.amr.corp.intel.com (10.19.9.35) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 8 Jul 2014 18:49:56 -0700
Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by FMSMSX113.amr.corp.intel.com (10.18.116.7) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 8 Jul 2014 18:49:56 -0700
Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.210]) by shsmsx102.ccr.corp.intel.com ([169.254.2.21]) with mapi id 14.03.0123.003; Wed, 9 Jul 2014 09:49:55 +0800
From: "Zheng, Kai" <kai.zheng@intel.com>
To: Greg Hudson <ghudson@MIT.EDU>
Thread-Topic: [kitten] Token Preauth for Kerberos
Thread-Index: Ac95oBHY/v5P0th/QSGCBpa/sVINTQMo1vwAABRlhDAACyy6gADKjG2g///1jYD/3rPSIIBCjV+A//7iu7A=
Date: Wed, 09 Jul 2014 01:49:55 +0000
Message-ID: <8D5F7E3237B3ED47B84CF187BB17B666118FB9DE@SHSMSX103.ccr.corp.intel.com>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com> <1402609038.22737.57.camel@willson.usersys.redhat.com> <8D5F7E3237B3ED47B84CF187BB17B666118ED023@SHSMSX103.ccr.corp.intel.com> <1402663277.22737.60.camel@willson.usersys.redhat.com> <8D5F7E3237B3ED47B84CF187BB17B666118F09D8@SHSMSX103.ccr.corp.intel.com> <1403009009.22737.129.camel@willson.usersys.redhat.com> <8D5F7E3237B3ED47B84CF187BB17B666118FB475@SHSMSX103.ccr.corp.intel.com> <53BC1D53.6040106@mit.edu>
In-Reply-To: <53BC1D53.6040106@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.239.127.40]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/fzRtPK0sNvCNE1_FwBeVLfU7UzI
Cc: "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@mit.edu>
Subject: Re: [kitten] Token Preauth for Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 01:49:59 -0000

Hi Creg,

> this sounds like creating a container-of-anything within an existing container-of-anything.  That is, if you see something within an AD-TOKEN subcontainer, you don't know anything about what it is, only something about where it came from and how it is encoded.

Hmmm, not exactly as what I mean. It's container-of-exactly-token within the existing container-of-anything (AD-KDC-ISSUED). Looking at AD-TOKEN subcontainer, applications are meant to get a token from it, as AD-TOKEN could be defined as:
   AD-TOKEN            ::= SEQUENCE {
           token     [0] OCTET STRING,
   }
The token is defined as JWT token, and can be converted as OCTET STRING according to how JWT tokens are serialized into binary bytes.

Looks like AD-CAMMAC is a better alternative to AD-KDC-ISSUED, so as you suggested we can use it instead, though it's a little bit complex regarding implementation.

Regards,
Kai

-----Original Message-----
From: Greg Hudson [mailto:ghudson@MIT.EDU] 
Sent: Wednesday, July 09, 2014 12:33 AM
To: Zheng, Kai
Cc: kitten@ietf.org; krbdev@mit.edu
Subject: Re: [kitten] Token Preauth for Kerberos

On 07/08/2014 08:10 AM, Zheng, Kai wrote:
> How about having a new one like AD-TOKEN that contains the token derivation.

To me, this sounds like creating a container-of-anything within an existing container-of-anything.  That is, if you see something within an AD-TOKEN subcontainer, you don't know anything about what it is, only something about where it came from and how it is encoded.

An advantage of the subcontainer approach is that the KDC can be fairly dumb.  But the server application has to be correspondingly smart; if a semantically equivalent piece of authorization data could exist in one of several subcontainers, each with its own encoding, then it must understand all of the different subcontainers and search within each.

v2.45.0 | Report a Bug | By Email | System Status