IETF Logo Mail Archive

Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt

Benjamin Kaduk <kaduk@MIT.EDU> Wed, 06 April 2016 14:23 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79F8312D0B4; Wed, 6 Apr 2016 07:23:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wUU9VMNoQaGU; Wed, 6 Apr 2016 07:23:01 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCE0C12D5E4; Wed, 6 Apr 2016 07:23:00 -0700 (PDT)
X-AuditID: 1209190f-c8fff70000004b9e-e5-57051bc3e25b
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id E3.7B.19358.3CB15075; Wed, 6 Apr 2016 10:22:59 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u36EMw7t019635; Wed, 6 Apr 2016 10:22:59 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u36EMtBe031927 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 6 Apr 2016 10:22:57 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u36EMsFw003677; Wed, 6 Apr 2016 10:22:54 -0400 (EDT)
Date: Wed, 06 Apr 2016 10:22:54 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Michiko Short <michikos@microsoft.com>
In-Reply-To: <BY1PR03MB1417EBB6878983B57073528CD0800@BY1PR03MB1417.namprd03.prod.outlook.com>
Message-ID: <alpine.GSO.1.10.1604061016100.26829@multics.mit.edu>
References: <20160321223215.12211.35084.idtracker@ietfa.amsl.com> <56F0945E.5070804@openfortress.nl> <BLUPR0301MB1953F7DDC9FD35D3139F4F20CD800@BLUPR0301MB1953.namprd03.prod.outlook.com> <56F0EFBD.90800@openfortress.nl> <56F13EEB.70502@mit.edu> <BY1PR03MB1417EBB6878983B57073528CD0800@BY1PR03MB1417.namprd03.prod.outlook.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrKIsWRmVeSWpSXmKPExsUixG6nrntYmjXcYFGXksXVVR2MFkc3r2Kx +NfN58DssWTJTyaP1h1/2QOYorhsUlJzMstSi/TtErgyPm4+yFTwQ7ri1H7bBsa3Yl2MnBwS AiYSM3dPZe5i5OIQEmhjklgzezorhLOBUeLjzh9sEM5BJomONXOZQFqEBOolXn+9ygJiswho STz8vIcRxGYTUJGY+WYjG4gtAhT/cOE0C0gzs8AaRolDq2eCNQgLeEvcPNbJCmJzCsRKHJy1 HqiZg4NXwFHi+YoqiGXHmCSOftoAViMqoCOxev8UsF5eAUGJkzOfgNnMQAuWT9/GMoFRYBaS 1CwkqQWMTKsYZVNyq3RzEzNzilOTdYuTE/PyUot0TfRyM0v0UlNKNzGCQpNTkn8H45wG70OM AhyMSjy8AlYs4UKsiWXFlbmHGCU5mJREeT0lWMOF+JLyUyozEosz4otKc1KLDzFKcDArifDO EgPK8aYkVlalFuXDpKQ5WJTEeRkZGBiEBNITS1KzU1MLUotgsjIcHEoSvKzAGBQSLEpNT61I y8wpQUgzcXCCDOcBGt4vBTK8uCAxtzgzHSJ/ilFRSpz3lSRQQgAkkVGaB9cLTh27mVRfMYoD vSLM2wTSzgNMO3Ddr4AGMwENrhdmAhlckoiQkmpgNK2UvXajPLGK2dHoiMUbh6p/FS6z9fM2 KPxz3B1Y6nklvu1Lfnbdhh3GjfEblpsdNjSta2c8tbWyLTKluqNtXfm12C45izkf5yTY25k9 8HskzJu9Zc0VLq5Zbz/Fs4Tc6/VeabtOe3a+wknNs7N4q593zmb5dHv3w5qZh504hS6I2lot THqsxFKckWioxVxUnAgAZ5D6HfgCAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/htSl-UWiNRUPd35OAjcf9qMR3wQ>
Cc: "kitten@ietf.org" <kitten@ietf.org>, "draft-ietf-kitten-pkinit-freshness@ietf.org" <draft-ietf-kitten-pkinit-freshness@ietf.org>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2016 14:23:03 -0000

Hi Michiko,

Can you please submit a new revision making the MUST --> SHOULD change?

Also, I would like to get an explicit confirmation from Greg that this
text is not problematic (in Section 2.4):

   [...] If the freshness token is not valid, the KDC MUST
   return a KRB_ERROR [RFC4120] message with the error-code

KDC_ERR_PREAUTH_EXPIRED [RFC6113].  The e-data field of the error
   contains a METHOD-DATA object [RFC4120] which specifies a valid
   PA_AS_FRESHNESS padata-value.

I see an old comment from Greg in the archives that RFC 6113 made no
specification for including METHOD-DATA in a KDC_ERR_PREAUTH_EXPIRED error
packet, but a more recent message indicated general acceptance of the
whole document (with no specific mention of this text).  My understanding
is that the concern related to the need to unambiguously specify how to
construct the error packet, since RFC 6113 did not give guideance on this
scenario (whereas RFC 4120 did give guidance for constructing error
packets for KDC_ERR_PREAUTH_FAILED), but the thread is old enough that I
would like another confirmation.

Thanks,

Ben

On Tue, 22 Mar 2016, Michiko Short wrote:

> Since the infinite loop problem exists for Kerberos clients already, I would prefer to not specify something since this is an extension to an extension.
>
> However, the must is valid. Not sure how we all missed that.
> "If a client receives a KDC_ERR_PREAUTH_EXPIRED KRB_ERROR message that includes a freshness token, it SHOULD retry using the new freshness token."
>
> I would really like to get this to last call and get the official IANA number
>
> -----Original Message-----
> From: Greg Hudson [mailto:ghudson@mit.edu]
> Sent: Tuesday, March 22, 2016 5:48 AM
> To: Rick van Rein <rick@openfortress.nl>; Paul Miller (NT) <paumil@microsoft.com>
> Cc: kitten@ietf.org; draft-ietf-kitten-pkinit-freshness@ietf.org
> Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt
>
> On 03/22/2016 03:09 AM, Rick van Rein wrote:
> >> It is the responsibility of the client not to retry indefinitely.
> >
> > May I suggest that you state that in the text?  The current draft is a procedure, and could benefit from invariant statements to clarify the cases that fall outside of the intended procedure.
>
> If I understand correctly, we are worried about an infinite loop of AS-REQ -> KDC_ERR_PREAUTH_EXPIRED -> AS-REQ -> ... due to the section 2.5.
>
> If we need to alter this text anyway, I don't like the requirement that "If a client receives a KDC_ERR_PREAUTH_EXPIRED KRB_ERROR message that includes a freshness token, it MUST retry using the new freshness token."  MUSTs are to be used when behavior "is actually required for interoperation or to limit behavior which has potential for causing harm" (RFC 2119 section 6).  A client which implements RFC 6113 could respond to KDC_ERR_PREAUTH_EXPIRED the same way it already does, by retrying from the beginning, without affecting interoperability or causing harm.
>
> I suggest the following text:
>
>   If a client receives a KDC_ERR_PREAUTH_EXPIRED KRB_ERROR message that
>   includes a freshness token, it SHOULD retry the PKINIT-authenticated
>   AS-REQ using the new freshness token.  The client MAY restart the
>   conversation instead.  The client MUST limit the number of retries to
>   avoid looping forever in case of a misbehaving KDC.
>
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten
>

v2.23.0 | Report a Bug | By Email