Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-01.txt

Greg Hudson <ghudson@mit.edu> Mon, 04 May 2015 15:12 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1152B1A1BCF for <kitten@ietfa.amsl.com>; Mon, 4 May 2015 08:12:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rCELrWgcf5MQ for <kitten@ietfa.amsl.com>; Mon, 4 May 2015 08:12:57 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6FD81A1BCD for <kitten@ietf.org>; Mon, 4 May 2015 08:12:43 -0700 (PDT)
X-AuditID: 12074424-f79f56d000000da5-98-55478c6a69a6
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 90.35.03493.A6C87455; Mon, 4 May 2015 11:12:42 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t44FCaX1021611; Mon, 4 May 2015 11:12:37 -0400
Received: from [18.101.8.98] (vpn-18-101-8-98.mit.edu [18.101.8.98]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t44FCY4I016706 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 4 May 2015 11:12:35 -0400
Message-ID: <55478C61.2040601@mit.edu>
Date: Mon, 04 May 2015 11:12:33 -0400
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Sam Hartman <hartmans-ietf@mit.edu>, Benjamin Kaduk <kaduk@mit.edu>
References: <20150307024328.31740.75123.idtracker@ietfa.amsl.com> <alpine.GSO.1.10.1503111348200.3953@multics.mit.edu> <alpine.GSO.1.10.1503111405000.3953@multics.mit.edu> <5500AD51.5030902@mit.edu> <alpine.GSO.1.10.1503111725490.3953@multics.mit.edu> <BL2PR03MB2124E0360819B3162C9E48DD0060@BL2PR03MB212.namprd03.prod.outlook.com> <tsl38590yn0.fsf@mit.edu> <BL2PR03MB2127227DDC7941010BC26A6D0070@BL2PR03MB212.namprd03.prod.outlook.com> <550339DA.6000109@mit.edu> <BL2PR03MB21281E5DBF9A38B16C91338D0E90@BL2PR03MB212.namprd03.prod.outlook.com> <alpine.GSO.1.10.1504291620270.22210@multics.mit.edu> <tslbni0y0d2.fsf@mit.edu>
In-Reply-To: <tslbni0y0d2.fsf@mit.edu>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuplleLIzCtJLcpLzFFi42IRYrdT183qcQ81OP3WzOJr2wM2i6ObV7FY /Ovmc2D2WLLkJ5NH646/7B4rp55mD2CO4rJJSc3JLEst0rdL4Mr4vfAIW8F/lopl/9uYGxhb WLoYOTkkBEwkjt1bwAhhi0lcuLeerYuRi0NIYDGTxPrvV1ghnA2MEtcfzWaGcA4wSax4dYQV pIVXQE2i8/AqIJuDg0VAVWJFiytImE1AWWL9/q1gG0QFwiSm/X4OVS4ocXLmE7C4iIC7xMFX Z5hAbGaBCIl/B6aygIwRFvCWeL1GF2LVWxaJXVd7wXo5gVbdXPeNGaJeT2LH9V+sELa8xPa3 c5gnMArOQrJiFpKyWUjKFjAyr2KUTcmt0s1NzMwpTk3WLU5OzMtLLdI118vNLNFLTSndxAgO aReVHYzNh5QOMQpwMCrx8J5c5RYqxJpYVlyZe4hRkoNJSZTXIsU9VIgvKT+lMiOxOCO+qDQn tfgQowQHs5IIL0cLUI43JbGyKrUoHyYlzcGiJM676QdfiJBAemJJanZqakFqEUxWhoNDSYI3 uxuoUbAoNT21Ii0zpwQhzcTBCTKcB2i4LEgNb3FBYm5xZjpE/hSjLsedKf8XMQmx5OXnpUqJ 8/qCFAmAFGWU5sHNgaWiV4ziQG8J804GqeIBpjG4Sa+AljABLTlQ7wKypCQRISXVwBiU+fGm kzO7Tnh27EV5t/+3o1malU+8rIlWCFbWcvFRyhL2rMsytA8/HVq7UXpCo4B0b+S5fdFN33bN OSPulCP78nj4taaIMNfJE9murkn/NMtW48YmG61L79JTLUJu/5LxtH+5y0ju/uZ4a3aG86r9 6rnvIlQVPR9+rvQ0f7M9YU3GmhRjJZbijERDLeai4kQAXEa2BiADAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/gl6eNRPOSxpuREYUH0vbYtsrFvs>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Michiko Short <michikos@microsoft.com>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-01.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 15:12:58 -0000

On 05/04/2015 08:48 AM, Sam Hartman wrote:
> I think it is entirely reasonably to ask all clients to send a freshness
> request.

I think it's a little unfortunate, but if it will make Microsoft's life
easier, an few extra bytes in each AS request won't break the world.

MIT krb5 clients will probably send the freshness request
unconditionally, since our preauth framework doesn't make it easy to
determine ahead of time whether the client can do authenticated PKINIT.
 We'll need to be prepared to retry without it because of older MIT krb5
KDCs, but we already have logic for that because of PA-REQ-ENC-PA-REP
(RFC 6806).