IETF Logo Mail Archive

Re: [kitten] WGLC on draft-ietf-krb-wg-cammac-08

Tom Yu <tlyu@MIT.EDU> Fri, 01 August 2014 19:13 UTC

Return-Path: <tlyu@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D52331A0314 for <kitten@ietfa.amsl.com>; Fri, 1 Aug 2014 12:13:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4zLmxGxUGYW for <kitten@ietfa.amsl.com>; Fri, 1 Aug 2014 12:13:31 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 421FB1A01C3 for <kitten@ietf.org>; Fri, 1 Aug 2014 12:13:31 -0700 (PDT)
X-AuditID: 12074425-f79766d000006da8-4f-53dbe6da249a
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id E1.A0.28072.AD6EBD35; Fri, 1 Aug 2014 15:13:30 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id s71JDTaT006500; Fri, 1 Aug 2014 15:13:29 -0400
Received: from localhost (sarnath.mit.edu [18.18.1.190]) (authenticated bits=0) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s71JDRZ0009925; Fri, 1 Aug 2014 15:13:28 -0400
From: Tom Yu <tlyu@MIT.EDU>
To: "Zheng, Kai" <kai.zheng@intel.com>
References: <53799133.70201@oracle.com> <53BB8362.3010605@oracle.com> <8D5F7E3237B3ED47B84CF187BB17B666118FB2BB@SHSMSX103.ccr.corp.intel.com>
Date: Fri, 01 Aug 2014 15:13:27 -0400
In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B666118FB2BB@SHSMSX103.ccr.corp.intel.com> (Kai Zheng's message of "Tue, 8 Jul 2014 07:58:58 +0000")
Message-ID: <ldv7g2sqazs.fsf@sarnath.mit.edu>
Lines: 31
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixCmqrHvr2e1gg2mN/BbrW0+zWBzdvIrF ou/1IXYHZo8lS34yeSze85LJ4+PTWywBzFFcNimpOZllqUX6dglcGRNedbIU3OWqeL3hI3MD 4x6OLkZODgkBE4kfp5rZIGwxiQv31gPZXBxCArOZJLr/P2GFcDYwSpz5sQgq85pRYtG7Zyxd jBwcbALSEkcXl4F0iwioS9xa0sUKYjMLREqcPLaFCcQWFrCUuPDqDyNEbz+jRO/DzcwgCRYB VYlpH58wgticAhMYJebfDwexeQV0JfZd7AMbxCPAKXGoZyUjRFxQ4uTMJywQC7Qkbvx7yTSB UWAWktQsJKkFjEyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdC30cjNL9FJTSjcxgsKU3UV1B+OE Q0qHGAU4GJV4eG/svh0sxJpYVlyZe4hRkoNJSZTX7CFQiC8pP6UyI7E4I76oNCe1+BCjBAez kgjvtm1AOd6UxMqq1KJ8mJQ0B4uSOO9ba6tgIYH0xJLU7NTUgtQimKwMB4eSBC8HMB6FBItS 01Mr0jJzShDSTBycIMN5gIbzgNTwFhck5hZnpkPkTzEqSonz3nkClBAASWSU5sH1wtLIK0Zx oFeEeflA2nmAKQiu+xXQYCagwTWGYINLEhFSUg2MNjPX9czSmrug8NLFTS/a/AsruIQFrO/P DQ/sZqswXseUuclE7GTv3Kxtt8Tz9xu56rHvsXl7fP6Rxq4L6yut+jPr1E4WfasTeJMxwb9x mQzHjzOHtWR2h7XWL3y9/ubO7ReNVllcn7XQ7sJqmzDtr8nci06c+/JrUvCy1h03flqq7G9a tTlyjxJLcUaioRZzUXEiAC3HJ5j+AgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/ipFnv26bjW7gV2zNHhX6AhElmfA
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] WGLC on draft-ietf-krb-wg-cammac-08
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 19:13:33 -0000

"Zheng, Kai" <kai.zheng@intel.com> writes:

> Regarding the following:
> ===
> However, protocol extensions such as Constrained Delegation (S4U2Proxy
>    [MS-SFU]) require that a service present to the KDC a service ticket
>    that the service received from a client, as evidence that the client
>    authenticated to the service.  In the S4U2Proxy extension, the KDC
>    uses the evidence ticket as the basis for issuing a derivative ticket
>    that the service can then use to impersonate the client.
> ===

[...]

> This forwardable service ticket might have been obtained by a
> KRB_AP_REQ and come from the user client (the case mentioned here), or
> by an S4U2self request (ignored here).

Hi Kai,

Thanks for your comment.  I can see how apparently ignoring tickets
obtained from S4U2Self could be distracting or confusing to a reader.
Would the following text be better?

   However, protocol extensions such as Constrained Delegation
   (S4U2Proxy [MS-SFU]) require that a service present to the KDC a
   service ticket that the KDC previously issued, as evidence that the
   service is authorized to impersonate the client principal named in
   that ticket.  In the S4U2Proxy extension, the KDC uses the evidence
   ticket as the basis for issuing a derivative ticket that the service
   can then use to impersonate the client.

v2.23.0 | Report a Bug | By Email