Re: [kitten] I-D Action: draft-ietf-krb-wg-cammac-09.txt

Greg Hudson <ghudson@mit.edu> Mon, 08 September 2014 16:58 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2B141A8903 for <kitten@ietfa.amsl.com>; Mon, 8 Sep 2014 09:58:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.853
X-Spam-Level:
X-Spam-Status: No, score=-5.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7qCX1MvPGHyn for <kitten@ietfa.amsl.com>; Mon, 8 Sep 2014 09:58:57 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 56E7C1A88FC for <kitten@ietf.org>; Mon, 8 Sep 2014 09:58:55 -0700 (PDT)
X-AuditID: 12074422-f79436d000000c21-ea-540de04e7445
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 2F.0B.03105.E40ED045; Mon, 8 Sep 2014 12:58:54 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id s88Gwm15010101; Mon, 8 Sep 2014 12:58:49 -0400
Received: from [18.101.8.96] (vpn-18-101-8-96.mit.edu [18.101.8.96]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s88GwlNB020302 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 8 Sep 2014 12:58:48 -0400
Message-ID: <540DE046.2020709@mit.edu>
Date: Mon, 08 Sep 2014 12:58:46 -0400
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Benjamin Kaduk <kaduk@mit.edu>, Tom Yu <tlyu@mit.edu>
References: <20140905195755.12365.12570.idtracker@ietfa.amsl.com> <ldvwq9h24e0.fsf@sarnath.mit.edu> <alpine.GSO.1.10.1409081219440.21571@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1409081219440.21571@multics.mit.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJIsWRmVeSWpSXmKPExsUixCmqrev3gDfE4MBfM4ujm1exODB6LFny kymAMYrLJiU1J7MstUjfLoEr491C9oIezopTMzcxNjBOZO9i5OSQEDCR2Lz6CCuELSZx4d56 ti5GLg4hgdlMErdXf2aHcDYwSjRfecAI4Rxgkjj+swkow8HBK6AmMXWfN0g3i4CqxNTu22BT 2QSUJdbv38oCYosKhEg0tfawgdi8AoISJ2c+YQFpFRGwlDi60REkzCwgLHFh+16wI4QFHCUW dP1nhlg1k1Fi0cpjjCAJTgEniQdTNrNBNOhJ7Lj+ixXClpdo3jqbeQKj4CwkK2YhKZuFpGwB I/MqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXVO93MwSvdSU0k2MoFBld1HawfjzoNIhRgEORiUe Xo7LPCFCrIllxZW5hxglOZiURHk/3OENEeJLyk+pzEgszogvKs1JLT7EKMHBrCTC+/QyUI43 JbGyKrUoHyYlzcGiJM771toqWEggPbEkNTs1tSC1CCYrw8GhJMFrcR+oUbAoNT21Ii0zpwQh zcTBCTKcB2i4P0gNb3FBYm5xZjpE/hSjLse6zm/9TEIsefl5qVLivCvvARUJgBRllObBzYGl mFeM4kBvCfPGgoziAaYnuEmvgJYwAS2ZFAy2pCQRISXVwGi8aeHRgw9+7Nb/aciRGVmfpq7S XvT91LLd3wVKlvUmXVYOmMLqGnP5Affm6zWtrC/tF00WmXD4/bnbkkE77W8Jmy1R4CyfMW0H z8PHBXPOGldM+nV8vaqmVH3LmokH/85TDnvhncYlf8A0T6ymP8lo8s+9Qnv055/doHJ3fkrC Sa0tPkcOzLZTYinOSDTUYi4qTgQAjOqnegwDAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/kFbO10Cc34v-epn8BHzzlGxjISA
Cc: kitten@ietf.org
Subject: Re: [kitten] I-D Action: draft-ietf-krb-wg-cammac-09.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 16:59:00 -0000

On 09/08/2014 12:29 PM, Benjamin Kaduk wrote:
> Aside from the extra "be" (in "be use") that Simo pointed out on IRC, I am
> still not sure that I understand the last paragraph of the security
> considerations.  That is, I don't see how using the S4U2Proxy extension
> and having policy disallow the use of S4U2Proxy would result in similar
> security properties.

I tihnk the extra "be" is supposed to be "not" or "never".

I suggest changing:

    The KDC MAY create a new CAMMAC from an existing CAMMAC	
    lacking a kdc-verifier if it is inserting the new CAMMAC into a	
    service ticket for the same service principal as the ticket that	
    contained the existing CAMMAC, and if all of the realm's KDCs are	
    configured to reject S4U2Proxy requests made by that service	
    principal.

to instead say, "... as the ticket that contained the existing CAMMAC,
but MUST NOT place a kdc-verifier in the new CAMMAC."  This is simpler
to implement.  By not putting a kdc-verifier in the new CAMMAC, we don't
risk treating the new CAMMAC contents as definitively KDC-originated for
a subsequent S4U2Proxy request if the policy changes.