Re: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)
Michiko Short <michikos@microsoft.com> Tue, 20 December 2016 20:33 UTC
Return-Path: <michikos@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 067801295B1; Tue, 20 Dec 2016 12:33:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7SElKOHelrv1; Tue, 20 Dec 2016 12:33:28 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0129.outbound.protection.outlook.com [104.47.37.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F87E12960C; Tue, 20 Dec 2016 12:33:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=VMkCZF+WcK9kGDY9wn2m2t0q6tXh0AqTMH2Fyg/pnzQ=; b=SofVIqKu7zFODKn9XFHADsubDoSaaiAvBAO9rLSuwaCc7B4WYwE9TeeCEssaKDQgE6YZiUGxjcZi34fo2v05v1rejASE4QsBqqywBKNxzjMuL4eE78MF87MqABE8rJ+DiXOpLRv0Vf8g+lqbBg9s/EtweRhvW+nWYoX+sWtbl8o=
Received: from CY1PR03MB2315.namprd03.prod.outlook.com (10.166.207.138) by CY1PR03MB2313.namprd03.prod.outlook.com (10.166.207.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.803.11; Tue, 20 Dec 2016 20:33:27 +0000
Received: from CY1PR03MB2315.namprd03.prod.outlook.com ([10.166.207.138]) by CY1PR03MB2315.namprd03.prod.outlook.com ([10.166.207.138]) with mapi id 15.01.0803.010; Tue, 20 Dec 2016 20:33:27 +0000
From: Michiko Short <michikos@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)
Thread-Index: AQHSSrCav4teqLbWGUyJhnQWwUm91aERL1QAgAAt8ICAAAnNAIAAA+eQ
Date: Tue, 20 Dec 2016 20:33:26 +0000
Message-ID: <CY1PR03MB23152A7EE5DD8BA80E9A415CD0900@CY1PR03MB2315.namprd03.prod.outlook.com>
References: <148047251432.11670.13523989384092580597.idtracker@ietfa.amsl.com> <af355db2-c6f8-6a39-a2e2-f65cd0bea2d4@cs.tcd.ie> <CAHbuEH6J9aBbTeW6sO46a+OENRAnX1bXH56FYkjt71PO4vsrxA@mail.gmail.com> <5367e5de-0d2b-3d92-1ded-17551685f14e@cs.tcd.ie>
In-Reply-To: <5367e5de-0d2b-3d92-1ded-17551685f14e@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=michikos@microsoft.com;
x-originating-ip: [2001:4898:80e8:f::681]
x-ms-office365-filtering-correlation-id: 6927ff09-e0f6-4140-721b-08d4291773d8
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CY1PR03MB2313;
x-microsoft-exchange-diagnostics: 1; CY1PR03MB2313; 7:+0iyL4Sk+J/kpcCuo6iOi+Og+WLVf52sb3kZc/SHV+pb5ptAypuoRpy3BjIusEk/oVRbzxGG81KxLmZ7lv1XQ2eReKZ+c17G57elZ5365x94kJP7s350CnJ61rYHZmKUFwHJUemfKIM3qplEku/L/CNu6W+GjCgUPx5V5HzP+pQaHutNRAZJrEcqRIqKvgcx+cXWLjHxi7TzlTiodFyhp1LM4YRdyVymkJBSB3hbcySNtPpk3LtJYujjk93nn+5smopy/+rF2A+PVai/iXjtPSDOTiusH1g0P4I0/Kjmz4hj+/kRSheAM01/N/U73wRBLhIWgbnOPJT5ttoKXol4vZTVqDZpL7mA/g4pC0OeRpyr+nU7ZGBw7cbJAyE8zz7RvvchQ/TBWeK7fU+FTvwlPBaIj1Govpz1pLxAXHMNsCp53hMgEyv0KSfgX7K4BoKA6xqvJ6gaIG+kvf1TPrQf4Z0pfg8EW/7oWFuVIx3ik7Q=
x-microsoft-antispam-prvs: <CY1PR03MB23135A801D94451AAC3A816ED0900@CY1PR03MB2313.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715)(120809045254105)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123564025)(20161123562025)(20161123555025)(6072148)(6047074); SRVR:CY1PR03MB2313; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB2313;
x-forefront-prvs: 0162ACCC24
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39410400002)(39850400002)(39840400002)(39450400003)(39860400002)(13464003)(24454002)(199003)(189002)(377454003)(86612001)(122556002)(86362001)(189998001)(50986999)(305945005)(7696004)(76176999)(5660300001)(54356999)(102836003)(6116002)(7736002)(101416001)(93886004)(74316002)(38730400001)(39060400001)(10290500002)(5005710100001)(8990500004)(2950100002)(229853002)(3280700002)(10090500001)(25786008)(6436002)(77096006)(6506006)(2900100001)(99286002)(2906002)(4326007)(92566002)(106116001)(106356001)(105586002)(3660700001)(230783001)(33656002)(68736007)(97736004)(9686002)(5001770100001)(8676002)(8936002)(76576001)(81166006)(81156014); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR03MB2313; H:CY1PR03MB2315.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2016 20:33:26.8332 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB2313
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/gGMvTDvsFUJdVJB07CYp0--L-kE>
Cc: "mrogers@redhat.com" <mrogers@redhat.com>, "kitten@ietf.org" <kitten@ietf.org>, "kitten-chairs@ietf.org" <kitten-chairs@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-kitten-pkinit-freshness@ietf.org" <draft-ietf-kitten-pkinit-freshness@ietf.org>
Subject: Re: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2016 20:33:30 -0000
Works for me. Please proceed. -Mich -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] Sent: Tuesday, December 20, 2016 12:18 PM To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Cc: mrogers@redhat.com; kitten@ietf.org; kitten-chairs@ietf.org; The IESG <iesg@ietf.org>; draft-ietf-kitten-pkinit-freshness@ietf.org Subject: Re: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS) Hiya, On 20/12/16 19:43, Kathleen Moriarty wrote: > Hi Stephen, > > Thanks for digging into this. Inline. > > On Tue, Dec 20, 2016 at 11:58 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie >> wrote: > >> >> Hi Kathleen, Kitten-WG: >> >> I read the thread on this and I think a suggestion made >> on the kitten list [1] by Greg Hudson ought work to >> address the valid concern that a too-short or predictable >> freshness token could be abused. >> >> The suggestion was to add a new paragraph to the security >> considerations saying: >> >> "If freshness tokens sent by the KDC are too short or too >> predictable, an attacker may be able to defeat the mechanism >> by creating signatures using every possible token value. >> To prevent this attack, the freshness token SHOULD contain >> a minimum of 64 unpredictable bits." >> >> > Yes, that works for me, thanks. > Great. So are the authors/chairs/WG ok with adding that too? If nobody objects I'll add the RFC editor note tomorrow and we can go from there. (There'll still be plent of time for later objections if this is somehow a horrible thing, but I can't see how that'd be the case at all:-) All going well, Kathleen can clear her discuss then and we can give this one to the RFC editor as a very slightly early holiday present. Cheers, S. > >> If that works, I can add an RFC editor note to that effect >> or the authors can fire out a new draft. >> >> Greg also said: "I am willing to accept an amendment changing >> 64 to 96 or 128. It's a SHOULD, so it doesn't really constrain >> the implementation." And I agree that any of those numbers >> would likely be fine. >> >> So: >> >> Kathleen - do you think that'd be sufficient to resolve your >> discuss? If not, what would work? >> >> (If the above is good enough to get the discuss cleared, then >> I'll ask for opinions from the WG as to whether there are any >> issues with it. But please hold off for now until we see if >> Kathleen is ok with this resolution.) >> >> > Please let me know if the WG agrees or next steps. > > Thank you, > Kathleen > > >> Thanks, >> S. >> >> PS: Be nice to get this sorted before the holidays:-) >> >> [1] https://www.ietf.org/mail-archive/web/kitten/current/msg06199.html >> >> On 30/11/16 02:21, Kathleen Moriarty wrote: >>> Kathleen Moriarty has entered the following ballot position for >>> draft-ietf-kitten-pkinit-freshness-07: Discuss >>> >>> When responding, please keep the subject line intact and reply to all >>> email addresses included in the To and CC lines. (Feel free to cut this >>> introductory paragraph, however.) >>> >>> >>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria. >> html >>> for more information about IESG DISCUSS and COMMENT positions. >>> >>> >>> The document, along with other ballot positions, can be found here: >>> https://datatracker.ietf.org/doc/draft-ietf-kitten-pkinit-freshness/ >>> >>> >>> >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> Holding a discuss until the Gen-art conversation on minimum size of the >>> fressness token resolves. Will switch to a yes once that is resolved. >>> https://www.ietf.org/mail-archive/web/gen-art/current/msg13942.html >>> >>> >>> >>> >>> _______________________________________________ >>> Kitten mailing list >>> Kitten@ietf.org >>> https://www.ietf.org/mailman/listinfo/kitten >>> >> >> > >
- [kitten] Kathleen Moriarty's Discuss on draft-iet… Kathleen Moriarty
- Re: [kitten] Kathleen Moriarty's Discuss on draft… Stephen Farrell
- Re: [kitten] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty
- Re: [kitten] Kathleen Moriarty's Discuss on draft… Stephen Farrell
- Re: [kitten] Kathleen Moriarty's Discuss on draft… Michiko Short