IETF Logo Mail Archive

Re: [kitten] AD Review: draft-ietf-kitten-rfc5653bis-04

Eric Rescorla <ekr@rtfm.com> Tue, 25 July 2017 05:04 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF5AA126BF3 for <kitten@ietfa.amsl.com>; Mon, 24 Jul 2017 22:04:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9nilkgkf3N0b for <kitten@ietfa.amsl.com>; Mon, 24 Jul 2017 22:04:50 -0700 (PDT)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92628126B7E for <kitten@ietf.org>; Mon, 24 Jul 2017 22:04:50 -0700 (PDT)
Received: by mail-yw0-x230.google.com with SMTP id l82so4056093ywc.2 for <kitten@ietf.org>; Mon, 24 Jul 2017 22:04:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rZxfidnbI0jXrVBFfzevqLbiua9uSnBR4cecLxZIqHQ=; b=d7+4lQbbOqIn6mkm3XVw1iH4FCNE5cvbabO8hGC73RGGF4Rpn8PkuSiZxZ7ltpf++w RnSYo5AM6SMjNz0YdQxBczu36q5Bsr1b+lC9sGlerPIE/ofzAfCFoiw98W+VVYwVG4Sp MarK6MS+v4BAu4KRZVS+h4UoxvIGhqnn6BkHNEyWRhk2VcCGRfwgxAxNbuEgF+9sqXvl y/dAhV7HBdx1kfLTp3nVlFJ9mhIFd+uYo/qo040YyPkw2lJxzNTIw1Oy8KNlVIUveRqD rX2O/8IxYTBwpAQiwYxJau6rU+Sb5FfWr/nl4nwS7UcZOKPuDdPhUHUnnCfuQXh4L8dM ISJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rZxfidnbI0jXrVBFfzevqLbiua9uSnBR4cecLxZIqHQ=; b=d80SEItXb+5Nh5IOrFLgFsGgwzP5GKXa7zsQXBWV2URh7on+84vmrX5lPCVWsFxR5R 7Cm6MRgSqnOrX7d6jMclbi971NY6u8Bn3Q733T9bt6AdjKI+uVr1TgJYjtrPTKMQokSe V0+HLcxbO+FyOhoHuXv4gF7xxlhn1F/O+JroMSeYj9tm91u8qruwG5R0wpN1eFhyao04 kWFPdfXCYSvRh/2RT+EGZKcRndElV861ukmEnFIdA6jpOTT3wf9YdjofOasZuDhhe3Md gQyHhaPMBjk54udaYWjYb7BBlDwh3jFPg/O6VO9AmHQzxIjE+mnGO44PP99INjlFwvmp rv6A==
X-Gm-Message-State: AIVw110FoSkMdi4T9he6BfM8Y9C1UPwpq+2yKPdCfEKs0ixypEk9+KZ2 oifqY78RoUUFWGIIzrYxdkEAuKv4LKu/
X-Received: by 10.129.70.132 with SMTP id t126mr14973411ywa.270.1500959089837; Mon, 24 Jul 2017 22:04:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.36.12 with HTTP; Mon, 24 Jul 2017 22:04:09 -0700 (PDT)
In-Reply-To: <20170718002217.GL75962@kduck.kaduk.org>
References: <CABcZeBPG-xqYj+FrPfJofvpLP-UD2PA52NrgxR_Y4nzwY4S8Uw@mail.gmail.com> <DC114106-3DAA-4CFC-B83D-EA277036AEAE@oracle.com> <CABcZeBP6+dtxoR9eib2Ymhv7fBORMnw4M+NSKN-7WG3AowVG0Q@mail.gmail.com> <20170718002217.GL75962@kduck.kaduk.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 24 Jul 2017 22:04:09 -0700
Message-ID: <CABcZeBNWQBjx5Bx-XmVfxxtsiZnUayT18EUkSxDh56i_A=vaYw@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Weijun Wang <weijun.wang@oracle.com>, kitten <kitten@ietf.org>
Content-Type: multipart/alternative; boundary="001a11484e9e5f87e105551d4500"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/g0mNc189tjnjc9LTHyKjWUQKPCw>
Subject: Re: [kitten] AD Review: draft-ietf-kitten-rfc5653bis-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 05:04:53 -0000

On Mon, Jul 17, 2017 at 5:22 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Fri, Jul 14, 2017 at 08:57:32AM -0700, Eric Rescorla wrote:
> > On Wed, Jul 12, 2017 at 8:41 PM, Weijun Wang <weijun.wang@oracle.com>
> wrote:
> >
> > > Hi Ekr
> > >
> > > Please read my answers below to your original questions.
> > >
> > > > On Jun 18, 2017, at 2:23 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> > > >
> > > > This document seems generally sound. There are some things about this
> > > > API that confused/surprised me and seem perhaps unwise, but given
> that
> > > > this is a bis, I will mostly confine my review to mostly calling them
> > > > out and asking you to make sure I understand and that the document is
> > > > clear.
> > > >
> > > > OVERALL
> > > > 1. What is a fatal error?
> > > > The document describes exceptions as indicating "fatal errors".
> > > > What does this mean for the state of the context. For instance,
> > > > if I receive an exception from initSecContext(), does that mean
> > > > that it is no longer possible to initiate it? Your example code
> > > > seems to treat them as fatal for the context. What happens
> > > > if I try to use a context after such an event?
> > >
> > > I’ll add a paragraph in "5.12.  Error Reporting” explaining whether the
> > > context is useable after an exception is thrown, for context
> establishment
> > > and per-message calls, respectively. Something like
> > >
> > > +If an exception is thrown during context establishment, the context
> > > +negotiation has failed and the GSSContext object must be abandoned.
> > > +If it is thrown in a per-message call, the context can remain useful.
> > >
> > > >
> > > >
> > > > 2. How do I enforce properties for received messages?
> > > > I see that I can request services for context initialization
> > > > (requestConf), and that I can check whether a given message
> > > > was encrypted (getPrivacy) but it's not clear to me if this
> > > > causes the API to enforce these rules for tokens that I
> > > > receive. Is that possible or do I just need to check?
> > >
> > > You would have to check. Even if an established security context
> already
> > > has its getConfState() being true, one can still wrap a message with
> > > privacy state set to false and the peer will unwrap it with success.
> If the
> > > peer insists only encrypted messages are allowed, she should always
> check.
> > >
> > > This is already documented in 6.4.10.
> > >
> > > >
> > > > 3. Are the request* flags() hard limits? E.g., if I do
> > > > requestMutualAuth() do I get it or fail?
> > >
> > > The method does not fail itself (i.e. does not throws an exception) and
> > > you need to check the result with those getXyzState() methods after the
> > > context is established.
> > >
> > > I can add a paragraph in S 5.9, something like:
> > >
> > > +If any retrieved attribute does not match the desired value
> > > +but it is necessary for the application protocol, the application
> should
> > > +destroy the security context and not use it for application traffic.
> > > +Otherwise, at this point, the context can be used by the application
> to
> > > +apply cryptographic services to its data.
> > >
> >
> > Sorry, I mean does the handshake fail? Or do you just hace to check.
>
> You have to check.  The GSS-API has always been a request-and-check
> type of API.
>

OK. I think that should be explicitly stated.


>
> >
> > > 4. It's a little unusual to have a structure where you keep
> > > > calling initSecContext or acceptContext() repeatedly. In
> > > > most APIs you would do like "setRole(Server)" or
> > > > "setRoleClient(), and then "Handshake().
> > >
> > > Sorry but this is how GSS-API works now.
> > >
> > > >
> > > > DETAIL
> > > > S 6.1.16.
> > > > Can addProviderAtFront() be used to add new providers which
> > > > the API would not normally use at all?
> > >
> > > No, 6.1.16 already had
> > >
> > >    Only when the indicated provider does not support
> > >    the needed mechanism should the GSSManager move on to a different
> > >    provider.
> > >
> > > I think this implies that a new provider added might be used at all.
> > >
> >
> > That doesn't seem very clear to me. My point is you might have defaults
> and
> > then add new omnes.
>
> I think you could use this to slot in your custom provider that was not
> part of the system Java implementation, yes.
> But I don't interact with the Java GSS stuff very much.
>

OK. This also needs to be explicit.

> > > S 5.3.

> > > > gss_release_cred() is just eager, right? In any case the data will
> > > > be cleaned up on GC? In any case you should make this clear.
> > >
> > > gss_release_cred() is eager, and there is no other guarantee the data
> can
> > > be automatically cleaned up. Even if GC cleaned up the GSSCredential
> > > object, there might be unreleased handles underneath.
> > >
> > > S 6.3 already has
> > >
> > >    When the credential is no longer needed, the application should call
> > > the dispose (equivalent to gss_release_cred) method to release any
> > > resources held by the credential object and to destroy any
> > > cryptographically sensitive information.
> > >
> > > Do you think it’s necessary to append something like “An implementation
> > > should not rely on garbage control or a finalize() method to dispose a
> > > credential”?
> > >
> >
> > Yes.
> >
> >
> >
> > >
> > > > S 6.1.15.
> > > > I wouldn't say you are "creating a previously exported context". You
> > > > are either importing it or creating a new context from a previously
> > > > exported one.
> > >
> > > Accepted.
> > >
> > > >
> > > > S 6.2.1.
> > > >
> > > >    // export and re-import the name
> > > >    byte[] exportName = mechName.export();
> > > >
> > > >    // create a new name object from the exported buffer
> > > >    GSSName newName = mgr.createName(exportName,
> > > >                      GSSName.NT_EXPORT_NAME);
> > > >
> > > > This comment structure is confusing, because the first is just
> > > > the export. I would change that.
> > >
> > > Accepted.
> > >
> > > >
> > > >
> > > > S 6.2.6.
> > > > It's a bit unclear to me under what circumstances you can compare GSS
> > > > names. I see you can do .equals() and export/memcmp, but can you
> > > > compare strings? Perhaps after you canonicalize them?
> > >
> > > As Ben and I explained this is quite complicated. Can we not touch it
> in
> > > this bis?
> >
> >
> > The fact that it's complicated seems like more reason to explain it.
>
> In some sense, you can always compare GSS names (in that the compare-name
> function will not throw an exception), but the results may not always
> match the expected behavior.  (It's too bad that RFC 6680 didn't take the
> time to summarize the state of affairs when adding naming extensions.)
> I don't think we should try to provide a comprehensive review of the
> state of affairs in this document, nor any normative statements (that would
> only apply to implementations of the Java bindings whereas the issues
> apply to all GSS-API implementations).  But perhaps something like the
> following would be reasonable:
>
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>
> A full treatment of the behavior of GSS name comparison is outside the
> scope of this work.  However, applications should note that to avoid
> surpising behavior, it is best to ensure that the names being compared
> are either both mechanism names for the same mechanism, or both internal
> names that are not mechanism names.  This holds whether the .equals()
> method is used directly, or the .export() method is used to generate byte
> strings that are then compared byte-by-byte.
>
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>

Yes, this seems fine.

-Ekr

v2.23.0 | Report a Bug | By Email