Re: [kitten] Review of draft-ietf-kitten-krb-service-discovery-00
Matt Rogers <mrogers@redhat.com> Thu, 30 March 2017 18:52 UTC
Return-Path: <mrogers@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 431DE127698 for <kitten@ietfa.amsl.com>; Thu, 30 Mar 2017 11:52:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VmPzmsXvvH0 for <kitten@ietfa.amsl.com>; Thu, 30 Mar 2017 11:52:09 -0700 (PDT)
Received: from mail-qt0-f181.google.com (mail-qt0-f181.google.com [209.85.216.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DA8D129A20 for <kitten@ietf.org>; Thu, 30 Mar 2017 11:52:08 -0700 (PDT)
Received: by mail-qt0-f181.google.com with SMTP id n21so47565955qta.1 for <kitten@ietf.org>; Thu, 30 Mar 2017 11:52:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=DvOb4DF+ZaQoSVtnPjDA2NlBXnV9ObEzsKYXD9SwBXM=; b=F5KiSDUEEuNXTPrnislbf0NNTqSjas5TPDPidMthiSxloL7uyvIXMehrCu51c8mEJg rVbJ8MyQ/XEquOh+mIiIKIoTb5+KGltf1QPdtdwcFAN50KNWAPLCNvzuDzjGe018ojHV yht9Ne0hx5/dKbsg78E1+T1P0ImvL06GLrF1ocw68sAdx57NZHUJtgjVdj+qBxfwFeon ruhtCdu9m0mLYeHwhUzwcWaA6LqHbnfuVmCHeQBCHMHqVFchJPwdkFxTYIVsueEI7L3a H4xD8bPQIPuz6zRs1z9h2BzHJiKofcX0WdkjYv7SWZpAfYS0QR9CWWWHd8bDFg5EpLO9 Ho/w==
X-Gm-Message-State: AFeK/H2RT4wx+lfgbDI2xQgZpzT7k2MvhGPCv0rbJmhxwft7cWu/VWUabwfsf+FNQpqi2QcFIcIIWnopA8kuUqli
X-Received: by 10.200.39.97 with SMTP id h30mr1317325qth.18.1490899927077; Thu, 30 Mar 2017 11:52:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.175.181 with HTTP; Thu, 30 Mar 2017 11:51:36 -0700 (PDT)
In-Reply-To: <x7dzige39sj.fsf@equal-rites.mit.edu>
References: <x7dzige39sj.fsf@equal-rites.mit.edu>
From: Matt Rogers <mrogers@redhat.com>
Date: Thu, 30 Mar 2017 14:51:36 -0400
Message-ID: <CAAeFVfwexk8THERJZ5Qm+sTB+FVMWsRSOXninGFmMWehzwiz-A@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: kitten@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ghNm080mE5DP_r11igluDu2Hc1Q>
Subject: Re: [kitten] Review of draft-ietf-kitten-krb-service-discovery-00
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 18:52:12 -0000
On Tue, Mar 21, 2017 at 11:54 AM, Greg Hudson <ghudson@mit.edu> wrote: > In general: > > * RFC 7553 is informational and this document is standards track, which > is a down reference (see RFC 3967). Also, RFC 7553 contains ambiguous > guidance about URI records labels which some readers have interpreted > as being incompatible with our use of labels. I think at one point we > received advice to reference the IANA registration of the URI record > type instead of RFC; unfortunately I do not know the mechanics of that > kind of reference. > The IANA registration entry refers to RFC 7553: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml Perhaps it should just be an informative reference instead. > * Similarly, MS-KKDCP is in the normative references section, and is not > a standards-track IETF document. It is only used as the reference in > the initial contents of the transport registry, so perhaps it can just > be an informative reference. > I'll make this an informative reference. > Abstract: > > * I would rephrase or omit the fourth goal ("define a discovery > procedure for Kerberos password services"). There is an > interoperable, well-documented[1] de facto standard for discovering > kpasswd services; it just isn't specified in an RFC. It's debatable > whether this is a serious enough deficit to mention in the abstract as > a problem that we're solving; if it is, I would say "formally specify" > rather than "define" to make it clear that the problem being remedied > is the lack of a formal specification. I think "formally specify" would be better. > > * Section 4.2.1 (Master Flag) is too focused on password changes, I > think. I suggest: > > The client SHOULD consider this server as one that might possess more > up-to-date long-term key material, and use it as a fallback for errors > that might result from out-of-date keys. > Works for me. > Section 4.4 (Residual): > > * I suggest "where such are defined" -> "as defined" > This will be removed with the Residual section (based on past comments to redefine the fields as "krb5srv:[flags]:transport-type:transport-info") > Section 5 (Kerberos V5 KDC Service Discovery): > > * "REALM indicates the translation of the Kerberos realm to a DNS > domain" seems to invoke some kind of translation procedure without a > reference. RFC 4120 doesn't really define any such translation > procedure; it just says in section 6.1 that a realm might be in > domain style with some specifics on what that means, and in section > 7.2.3.2 that "The realm MUST be a domain-style realm name". > > (Section 6 has this same wording again.) How about "..client MUST query the following URI DNS record, where REALM is a domain-style realm name." > > Section 7 (Kerberos Admin Service Discovery): > > * There is no standard admin protocol, even a de facto one (well, > Heimdal has some interoperability with MIT krb5). It doesn't make a > lot of sense to specify a standard discovery protocol when there is no > standard for what is being discovered. I think we want to leave this > as an implementation-specific aside. > > This change would have an impact on section 9.2.1 (removing the > default admin service port) and 9.2.2. > I'm OK with removing this part. > Section 8 (Relationship to Existing Mechanism): > > * The wording here seems too general. I think we want to specifically > say that URI records should be preferred over SRV records. > How about: "Clients that support service discovery through both URI and SRV records SHOULD perform the URI discovery first. If no URI record is found, the client MAY then attempt SRV discovery." > Section 9.1.2 (Initial Registry Contents, for flags registry): > > * The reference here is "TBD". Is there a plan? Is the reference > supposed to be to this RFC once a number is assigned? > It should be changed to the assigned number, yes. It was suggested that instead of TBD we use [This Document], which I think is the convention for this kind of reference. I'd also like to get some thoughts on this text for a Security Considerations section: "The security implication of using DNS URI records is identical to that of using DNS for any Kerberos service or host mapping; without secure DNS the results can be forged. The same precautions regarding the use of insecure DNS with Kerberos outlined in RFC 4120 should be followed." Thanks, Matt
- Re: [kitten] Review of draft-ietf-kitten-krb-serv… Matt Rogers
- Re: [kitten] Review of draft-ietf-kitten-krb-serv… Benjamin Kaduk
- [kitten] Review of draft-ietf-kitten-krb-service-… Greg Hudson
- Re: [kitten] Review of draft-ietf-kitten-krb-serv… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Review of draft-ietf-kitten-krb-serv… Jeffrey Altman
- Re: [kitten] Review of draft-ietf-kitten-krb-serv… Greg Hudson
- Re: [kitten] Review of draft-ietf-kitten-krb-serv… Jeffrey Altman
- Re: [kitten] Review of draft-ietf-kitten-krb-serv… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Review of draft-ietf-kitten-krb-serv… Matt Rogers
- Re: [kitten] Review of draft-ietf-kitten-krb-serv… Greg Hudson