Re: [kitten] Any Interest in a Key Delivery Service?
Benjamin Kaduk <kaduk@mit.edu> Thu, 14 September 2017 01:17 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35940132339 for <kitten@ietfa.amsl.com>; Wed, 13 Sep 2017 18:17:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ok0ZuDl35KqM for <kitten@ietfa.amsl.com>; Wed, 13 Sep 2017 18:17:31 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05F59132F78 for <kitten@ietf.org>; Wed, 13 Sep 2017 18:17:30 -0700 (PDT)
X-AuditID: 12074423-b1dff70000006fff-a0-59b9d8a994e3
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 0B.AE.28671.9A8D9B95; Wed, 13 Sep 2017 21:17:30 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v8E1HSSN025654; Wed, 13 Sep 2017 21:17:29 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v8E1HOdZ016840 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 13 Sep 2017 21:17:27 -0400
Date: Wed, 13 Sep 2017 20:17:25 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Ken Hornstein <kenh@pobox.com>
Cc: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>, "kitten@ietf.org <kitten@ietf.org>" <kitten@ietf.org>
Message-ID: <20170914011724.GN96685@kduck.kaduk.org>
References: <2FB98F5F-3981-4EFF-8CFF-FF6B5B3D485C@oxy.edu> <20170913013057.B1BEE8E632@pb-smtp2.pobox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20170913013057.B1BEE8E632@pb-smtp2.pobox.com>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrLIsWRmVeSWpSXmKPExsUixCmqrLvqxs5Ig9n9zBYf7y1ksehvOs5i cXTzKhYHZo8lS34yeWxt+svscfGScgBzFJdNSmpOZllqkb5dAlfG17d/2Qvuslfs2TuJpYFx ClsXIweHhICJxPfTRl2MXBxCAouZJPYtbGGDcDYySnw4e4oZwrnKJLFi/XaWLkZODhYBVYkr y1pYQWw2ARWJhu7LzCCTRASUJM6ckwAJMwsUSsy62sYEEhYWsJX4OkMWJMwLtOv3r7VMILaQ QLbEuomnWSDighInZz5hgWjVkrjx7yVYK7OAtMTyfxwgYU4Ba4n+nyCLODlEBZQl5u1bxTaB UWAWku5ZSLpnIXQvYGRexSibklulm5uYmVOcmqxbnJyYl5dapGuml5tZopeaUrqJERSy7C7K Oxhf9nkfYhTgYFTi4X1guTNSiDWxrLgy9xCjJAeTkijvXl2gEF9SfkplRmJxRnxRaU5q8SFG CQ5mJRHeU1eAcrwpiZVVqUX5MClpDhYlcV5xjcYIIYH0xJLU7NTUgtQimKwMB4eSBO/F60CN gkWp6akVaZk5JQhpJg5OkOE8QMNPg9TwFhck5hZnpkPkTzHqctx4eP0PkxBLXn5eqpQ478lr QEUCIEUZpXlwc0CpRiJ7f80rRnGgt4R594OM4gGmKbhJr4CWMAEtOXN6B8iSkkSElFQDY7y9 l0Pfp9D1345umsdcyiIp8jP2ebRDJ19A5uamkPZbsRW+b+Z6CW04//Rjz4bNwQ5GMieNq5T0 Vla9cjO3PCfzb8/EsCU92+tOVZT8eOLFxqG0886de4emLdZO2/9TasW618mzxO2CVOfYHdi0 5pTE3RNXz4ZJCl/he3Hu/FrNox/nvbHJ2qrEUpyRaKjFXFScCADLcoF+EAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/hG8D59cD0D59tKV4i-RmT3v0zsM>
Subject: Re: [kitten] Any Interest in a Key Delivery Service?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 01:17:32 -0000
On Tue, Sep 12, 2017 at 09:30:56PM -0400, Ken Hornstein wrote: > >I have run into a couple of cases where I wanted the kdc to provide -- > >not a service ticket -- but an actual encryption key for some data at > >rest. (Specifically an encrypted disk or a database.) > > It seems like a lot of people use KMIP for that. I think it would make > sense to be able to use Kerberos to authenticate to KMIP, but in my brief I don't know much about KMIP, but it does seem like there is not very much that would tie such a service to be part of and/or colocated with a Kerberos KDC. This functionality ought to be providable by a "generic kerberized service", i.e., something running elsewhere than the KDC that authenticates via kerberos. It could require initial tickets (e.g., via kinit -S kmip/hostname) without needing to be the KDC, and there's probably a lot of advantage in decoupling the protocol and implementation of the key-management service and the KDC. -Ben
- [kitten] Any Interest in a Key Delivery Service? Henry B (Hank) Hotz, CISSP
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein
- Re: [kitten] Any Interest in a Key Delivery Servi… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein
- Re: [kitten] Any Interest in a Key Delivery Servi… Benjamin Kaduk
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein
- Re: [kitten] Any Interest in a Key Delivery Servi… Jeffrey Altman
- Re: [kitten] Any Interest in a Key Delivery Servi… Ken Hornstein