IETF Logo Mail Archive

Re: [kitten] CAMMAC open issues

Benjamin Kaduk <kaduk@MIT.EDU> Fri, 06 December 2013 18:37 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD06A1AE328 for <kitten@ietfa.amsl.com>; Fri, 6 Dec 2013 10:37:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.202
X-Spam-Level:
X-Spam-Status: No, score=-1.202 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FbhuSx_-7r0w for <kitten@ietfa.amsl.com>; Fri, 6 Dec 2013 10:37:13 -0800 (PST)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) by ietfa.amsl.com (Postfix) with ESMTP id 0DBF71AE0D4 for <kitten@ietf.org>; Fri, 6 Dec 2013 10:37:12 -0800 (PST)
X-AuditID: 12074424-b7fa56d000000be4-3e-52a21955c2b6
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id A1.18.03044.55912A25; Fri, 6 Dec 2013 13:37:09 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id rB6Ib8oO019274; Fri, 6 Dec 2013 13:37:08 -0500
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id rB6Ib6C9020899 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 6 Dec 2013 13:37:08 -0500
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id rB6Ib634020716; Fri, 6 Dec 2013 13:37:06 -0500 (EST)
Date: Fri, 06 Dec 2013 13:37:06 -0500
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Tom Yu <tlyu@MIT.EDU>
In-Reply-To: <ldvd2mcdx2s.fsf@cathode-dark-space.mit.edu>
Message-ID: <alpine.GSO.1.10.1312061329390.27579@multics.mit.edu>
References: <ldvd2mcdx2s.fsf@cathode-dark-space.mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrIIsWRmVeSWpSXmKPExsUixCmqrBsquSjI4ModDoujm1exODB6LFny kymAMYrLJiU1J7MstUjfLoEro2f3BbaCzZwVnx7HNzBuY+9i5OCQEDCRWPvKuIuRE8gUk7hw bz1bFyMXh5DAbCaJZz2rWSGcDYwSj+beZIdwDjJJPFz7mQmkRUigXmLat4msIDaLgJbEy76v YDabgIrEzDcb2UBsEQFJiWNPzjOD2MwCwhLrz80As4UFNCQ2vT0AVsMpYCnRdquPHcTmFXCU WDT9CzvEfAuJJbs/gtWICuhIrN4/hQWiRlDi5MwnLBAzLSXO/bnONoFRcBaS1CwkqQWMTKsY ZVNyq3RzEzNzilOTdYuTE/PyUot0zfVyM0v0UlNKNzGCQpLdRWUHY/MhpUOMAhyMSjy8HKsW BAmxJpYVV+YeYpTkYFIS5c0RXRQkxJeUn1KZkVicEV9UmpNafIhRgoNZSYT3yJ2FQUK8KYmV ValF+TApaQ4WJXHeWxz2QUIC6YklqdmpqQWpRTBZGQ4OJQneFgmgoYJFqempFWmZOSUIaSYO TpDhPEDDe0FqeIsLEnOLM9Mh8qcYFaXEebeDJARAEhmleXC9sJTxilEc6BVh3vkgVTzAdAPX /QpoMBPQ4OYH80AGlyQipKQaGDd2zZw/obegxMjE3UC2s8L9foXIgkaVG+tzfiptWCqwhWuq YvIBxsupv602yqroy2pNCXpvf/PAFIcnBxc7rZlREqduP+GWgUyAo21x47dlNpEJLCzPHnvY GxwIdQ04styge55HasRF1sInYSyy8VNjp7NJFEWsEE9JvxB61mnvtmZVlpLDSizFGYmGWsxF xYkA/6lmhvQCAAA=
Cc: kitten@ietf.org
Subject: Re: [kitten] CAMMAC open issues
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2013 18:37:19 -0000

On Thu, 7 Nov 2013, Tom Yu wrote:

> Here are what I think are the remaining open issues for CAMMAC.
>
> Wrapping of CAMMAC:
>
> Do we recommend enclosing a CAMMAC inside an AD-IF-RELEVANT?  RFC 4120
> says that authorization data are critical, i.e., an implementaiton
> must reject unrecognized authorization data.  Alternatively, we could
> require that CAMMAC be enclosed in an AD-KDCIssued, and drop the
> consequently redundant "svc-verifier" from CAMMAC.

It looks like this bit got all the follow-up and no one replied to the 
rest.

> Minor encoding change:
>
> Do we change "other-verifiers" from "[3] SEQUENCE OF Verifier" to
> "[3] SEQUENCE (SIZE (1..MAX)) OF Verifier OPTIONAL"?
>
> I think we should do this because it would reduce the encoding size in
> what I believe will be the common case of no additional verifiers.

That seems okay; we don't have any reason to expect an unbounded number of 
other verifiers.  I'll let you pick the MAX, though.

> Motivations text:
>
> I'm still looking over Ben's suggestions for the rewording of the
> "Motivations" section.
>
> CAMMAC-BINDING:
>
> I think I'll cover this in a separate message.

Okay.

-Ben

v2.29.0 | Report a Bug | By Email | System Status