Re: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 20 December 2016 16:59 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A4D3129B91; Tue, 20 Dec 2016 08:59:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.401
X-Spam-Level:
X-Spam-Status: No, score=-7.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THISo6ZNeotX; Tue, 20 Dec 2016 08:59:04 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE8E0129B90; Tue, 20 Dec 2016 08:59:03 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 176EEBE4D; Tue, 20 Dec 2016 16:59:00 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nbp8qNtCa6-j; Tue, 20 Dec 2016 16:58:58 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 0E6E1BE2F; Tue, 20 Dec 2016 16:58:58 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1482253138; bh=Tph83LANXE9iSJEt5RL3QsYoOEUHSi0mN7tmMigo1D8=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=sNXoFZr9llC/fYar5VzAVk01GS6lR/piEcCQKiceTV0pB+L4CwT/sEAmI+321bKrX ajG2j6OiUC0HZGJ9Ksy27D0YCTqmL4Nzpn4/OTOERGuj7WdqvC//t3iiI9M5n3u1CR oGOpoTbZo77FqKRmP0Nl96vdudTjsjU45c9WB79M=
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>
References: <148047251432.11670.13523989384092580597.idtracker@ietfa.amsl.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <af355db2-c6f8-6a39-a2e2-f65cd0bea2d4@cs.tcd.ie>
Date: Tue, 20 Dec 2016 16:58:58 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <148047251432.11670.13523989384092580597.idtracker@ietfa.amsl.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms090402080103060408080400"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/i8Hvcb21K30fovRtSxTgBX3sQpk>
Cc: mrogers@redhat.com, kitten@ietf.org, kitten-chairs@ietf.org, draft-ietf-kitten-pkinit-freshness@ietf.org
Subject: Re: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2016 16:59:07 -0000
Hi Kathleen, Kitten-WG: I read the thread on this and I think a suggestion made on the kitten list [1] by Greg Hudson ought work to address the valid concern that a too-short or predictable freshness token could be abused. The suggestion was to add a new paragraph to the security considerations saying: "If freshness tokens sent by the KDC are too short or too predictable, an attacker may be able to defeat the mechanism by creating signatures using every possible token value. To prevent this attack, the freshness token SHOULD contain a minimum of 64 unpredictable bits." If that works, I can add an RFC editor note to that effect or the authors can fire out a new draft. Greg also said: "I am willing to accept an amendment changing 64 to 96 or 128. It's a SHOULD, so it doesn't really constrain the implementation." And I agree that any of those numbers would likely be fine. So: Kathleen - do you think that'd be sufficient to resolve your discuss? If not, what would work? (If the above is good enough to get the discuss cleared, then I'll ask for opinions from the WG as to whether there are any issues with it. But please hold off for now until we see if Kathleen is ok with this resolution.) Thanks, S. PS: Be nice to get this sorted before the holidays:-) [1] https://www.ietf.org/mail-archive/web/kitten/current/msg06199.html On 30/11/16 02:21, Kathleen Moriarty wrote: > Kathleen Moriarty has entered the following ballot position for > draft-ietf-kitten-pkinit-freshness-07: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-kitten-pkinit-freshness/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Holding a discuss until the Gen-art conversation on minimum size of the > fressness token resolves. Will switch to a yes once that is resolved. > https://www.ietf.org/mail-archive/web/gen-art/current/msg13942.html > > > > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten >
- [kitten] Kathleen Moriarty's Discuss on draft-iet… Kathleen Moriarty
- Re: [kitten] Kathleen Moriarty's Discuss on draft… Stephen Farrell
- Re: [kitten] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty
- Re: [kitten] Kathleen Moriarty's Discuss on draft… Stephen Farrell
- Re: [kitten] Kathleen Moriarty's Discuss on draft… Michiko Short