Re: [kitten] Gen-art LC review: draft-ietf-kitten-rfc6112bis-02

Shawn M Emery <shawn.emery@oracle.com> Mon, 24 October 2016 21:10 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC53B1295E8; Mon, 24 Oct 2016 14:10:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.633
X-Spam-Level:
X-Spam-Status: No, score=-4.633 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wBh47Lw1qc1a; Mon, 24 Oct 2016 14:10:13 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF5C41294B2; Mon, 24 Oct 2016 14:10:13 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u9OLABvh014522 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 24 Oct 2016 21:10:12 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id u9OLABEH020313 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 24 Oct 2016 21:10:11 GMT
Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id u9OLA7Ps029691; Mon, 24 Oct 2016 21:10:10 GMT
Received: from [10.154.112.252] (/10.154.112.252) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 24 Oct 2016 14:10:07 -0700
To: Benjamin Kaduk <kaduk@mit.edu>, Robert Sparks <rjsparks@nostrum.com>
References: <023b4b96-77ef-a78e-3546-4d05f339d5e0@nostrum.com> <alpine.GSO.1.10.1610231420240.5272@multics.mit.edu>
From: Shawn M Emery <shawn.emery@oracle.com>
Message-ID: <474b703b-983b-419e-9493-9eba128040a5@oracle.com>
Date: Mon, 24 Oct 2016 15:12:25 -0600
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <alpine.GSO.1.10.1610231420240.5272@multics.mit.edu>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/jjdLa51wU1NUXeSFC57WeU0wuGk>
Cc: kitten@ietf.org, General Area Review Team <gen-art@ietf.org>, ietf@ietf.org, draft-ietf-kitten-rfc6112bis.all@ietf.org
Subject: Re: [kitten] Gen-art LC review: draft-ietf-kitten-rfc6112bis-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 21:10:15 -0000

On 10/23/16 12:22 PM, Benjamin Kaduk wrote:
> On Fri, 21 Oct 2016, Robert Sparks wrote:
>
>> I am the assigned Gen-ART reviewer for this draft. The General Area
>> Review Team (Gen-ART) reviews all IETF documents being processed
>> by the IESG for the IETF Chair.  Please treat these comments just
>> like any other last call comments.
>>
>> For more information, please see the FAQ at
>>
>> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>;.
>>
>> Document: draft-ietf-kitten-rfc6112bis-02
>> Reviewer: Robert Sparks
>> Review Date: 21 Oct 2016
>> IETF LC End Date: 2 Nov 2016
>> IESG Telechat date: Not yet scheduled on a telechat
>>
>> Summary: Ready with nits
>>
>> Nits/editorial comments:
>>
>> Shouldn't the IANA considerations instruct IANA to update the registries at
>> http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
>> to update the three rows that currently point to 6112 to point to this
>> document instead (or at least in addition to 6112)?
> Yes, thanks for spotting that.

Yes, thank you for your review.

>> Micro-nit: There is a 2119 MUST carried forward from RFC6112 that could be
>> improved if the group is willing. "Care MUST be taken by the TGS to not
>> reveal". I would suggest "The TGS MUST NOT reveal...". If you need to further
>> highlight care, add a sentence that says "Implementers need to be particularly
>> careful when addressing this requirement." It is a very small nit - please
>> feel free to ignore it.
> That looks like a good change to me.  Folks on kitten@, does anyone think
> otherwise?  If we do not get any objections, I think we can include that
> in an RFC Editor Note.
>

Agreed, however I noticed another area that could use better 2119 
language in regards to this.  Here are the proposed updates:

OLD:
Care MUST be taken by the KDC not to reveal the client's identity in the 
authorization data of the returned ticket when populating the 
authorization data in a returned anonymous ticket.
NEW:
The KDC MUST NOT reveal the client's identity in the authorization data 
of the returned ticket when populating the authorization data in a 
returned anonymous ticket.

OLD:
Care MUST be taken by the TGS not to reveal the client's identity in the 
authorization data of the returned ticket.
NEW:
The TGS MUST NOT reveal the client's identity in the authorization data 
of the returned ticket.


I have the following RFC Editor notes to date (including the above):

Section: 9.  Acknowledgements
-----------------------------------------
OLD:
9.  Acknowledgements
NEW:
9.  Acknowledgments

Greg Hudson and Robert Sparks had provided helpful text in the bis 
version of the draft.

Section: 10.  IANA Considerations:
---------------------------------------------
<Note to IANA>

         Please update the following Kerberos Parameters registries:

         Well-Known Kerberos Principal Names
         Well-Known Kerberos Realm Names
         Pre-authentication and Typed Data

         to reference this RFC instead of RFC6112.

Shawn.
--