IETF Logo Mail Archive

Re: [kitten] shepherd review of draft-ietf-kitten-krb-auth-indicator-02

Greg Hudson <ghudson@mit.edu> Mon, 26 September 2016 16:28 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4678C12B305; Mon, 26 Sep 2016 09:28:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.536
X-Spam-Level:
X-Spam-Status: No, score=-6.536 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSypOBtox-0b; Mon, 26 Sep 2016 09:28:31 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EECF512B2BA; Mon, 26 Sep 2016 09:28:30 -0700 (PDT)
X-AuditID: 1209190e-7fbff70000006339-1c-57e94cad88d6
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 93.72.25401.DAC49E75; Mon, 26 Sep 2016 12:28:30 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u8QGSTYo023009; Mon, 26 Sep 2016 12:28:29 -0400
Received: from [18.101.8.139] (vpn-18-101-8-139.mit.edu [18.101.8.139]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u8QGSQB4017757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 26 Sep 2016 12:28:28 -0400
To: Benjamin Kaduk <kaduk@mit.edu>, draft-ietf-kitten-krb-auth-indicator@ietf.org
References: <alpine.GSO.1.10.1609251734290.5272@multics.mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <c0921ba3-7b3e-4716-736b-b73518dafe93@mit.edu>
Date: Mon, 26 Sep 2016 12:28:26 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <alpine.GSO.1.10.1609251734290.5272@multics.mit.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrGIsWRmVeSWpSXmKPExsUixCmqrLvO52W4wUMvi8M3drFbHN28isWB yWPJkp9MAYxRXDYpqTmZZalF+nYJXBlX33awFOwRqjg8dwpLA+NRvi5GDg4JAROJljUsXYxc HEICbUwSdzYuYIRwNjJKfGpvYoNwjjJJLN3Yy9zFyMkhLBAk0bbpCCuILSIQJbF6/Tw2EFtI wEHixablYDazgLDE8jVnwWw2AWWJ9fu3soDYvAJWEov3HAeLswioSrw8sIYJxBYViJC4teoj I0SNoMTJmU/A6jkFHCUmdb1lgZipJ7Hj+i9WCFteYvvbOcwTGAVmIWmZhaRsFpKyBYzMqxhl U3KrdHMTM3OKU5N1i5MT8/JSi3SN9XIzS/RSU0o3MYKDU5JvB+OkBu9DjAIcjEo8vAuOPg8X Yk0sK67MPcQoycGkJMorY/wyXIgvKT+lMiOxOCO+qDQntfgQowQHs5IIb7cXUI43JbGyKrUo HyYlzcGiJM7bNeNAuJBAemJJanZqakFqEUxWhoNDSYJXABiFQoJFqempFWmZOSUIaSYOTpDh PEDDL3mDDC8uSMwtzkyHyJ9iVJQS590OkhAASWSU5sH1gpNHKkf3K0ZxoFeEedVAVvAAEw9c 9yugwUxAg5eeeAEyuCQRISXVwCj4YPqOf0c71okwLQ+9sMPhztrFz23PJfAp3LzF/+vq396T 2sL68uHH3BLWlnw2aMoQXW0TZMrnVRa38uaPrN7TJ6RcxNu38Sp77+ifeEXj26G5PpIPVjxl NXvwgGFB2r7dL8tvLdiaX/J04pbQp//uy0+x6/4iajGRYdG+/VcNlJQD3h2wcTZTYinOSDTU Yi4qTgQAdkqNxfkCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/jYb7F2cOPrxj4SEJq1Uyk-sObrg>
Cc: kitten@ietf.org
Subject: Re: [kitten] shepherd review of draft-ietf-kitten-krb-auth-indicator-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2016 16:28:38 -0000

On 09/25/2016 07:20 PM, Benjamin Kaduk wrote:
> It feels like some parts of the document are written as if the "short
> strings" for comparison against known values are only for use when
> presented back to the KDC, but other parts of the document describe it as
> being used for policy decisions made by application services as well as
> the KDC.

Application servers can use auth indicators.  What parts of the document
imply that they are only used by the KDC?

> So, I think that section 3 should be more stringent, saying something like
> "strings that contain a colon character MUST be URIs that reference a
> Level of Assurance Profile, leaving other strings available for
> site-local use".

The existing text in section 3 is pretty clear to me, but if we need to
make it more clear, I suggest replacing:

    These
    strings MAY be site-defined strings that do not contain a colon such
    as the name of the Pre-Authentication mechanism used, or
    alternatively URIs that reference a Level of Assurance Profile
    [RFC6711].

with:

    Each string MUST be either:

    * A URI which references a Level of Assurance Profile [RFC6711].

    * A site-defined string, which MUST NOT contain a colon, whose
      meaning is determined by the realm administrator.

> I also suspect that the last paragraph of the security considerations
> should be rewritten in a normative fashion and moved to section 3, to make
> it clear what the presence of a given string in the authdata indicates.
> (Do we know of reasons why someone might use this AD element to indicate
> something other than a positive indication that the indicated requirements
> were met during the initial authentication?)

That seems like a reasonable change to me.

> There's also some matter of form regarding the string
> "AD-AUTHENTICATION-INDICATOR", which should probably just be used for the
> definition of the ASN.1 type; the value 97 is the ad-type for which the
> contents of-the ad-data field will be the DER encoding of the
> AD-AUTHENTICATION-INDICATOR object.  So, I would just say "The KDC MAY
> include authorization data of ad-type 97, wrapped in AD-CAMMAC, [...]" and
> skip the line that's just
> 
> AD-AUTHENTICATION-INDICATOR 97
> 
> (and replace the colon with a full stop).

That change also seems okay to me.

v2.23.0 | Report a Bug | By Email