Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal authentication
"Adamson, Andy" <William.Adamson@netapp.com> Thu, 04 September 2014 11:58 UTC
Return-Path: <William.Adamson@netapp.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CF691A875A; Thu, 4 Sep 2014 04:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.57
X-Spam-Level:
X-Spam-Status: No, score=-7.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QhWP5EkThRdI; Thu, 4 Sep 2014 04:58:00 -0700 (PDT)
Received: from mx11.netapp.com (mx11.netapp.com [216.240.18.76]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C67C1A0AF2; Thu, 4 Sep 2014 04:58:00 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.04,465,1406617200"; d="scan'208";a="144252377"
Received: from hioexcmbx08-prd.hq.netapp.com ([10.122.105.41]) by mx11-out.netapp.com with ESMTP; 04 Sep 2014 04:57:49 -0700
Received: from HIOEXCMBX08-PRD.hq.netapp.com (10.122.105.41) by hioexcmbx08-prd.hq.netapp.com (10.122.105.41) with Microsoft SMTP Server (TLS) id 15.0.913.22; Thu, 4 Sep 2014 04:57:44 -0700
Received: from HIOEXCMBX08-PRD.hq.netapp.com ([::1]) by hioexcmbx08-prd.hq.netapp.com ([fe80::3405:c28f:f61a:e768%21]) with mapi id 15.00.0913.011; Thu, 4 Sep 2014 04:57:43 -0700
From: "Adamson, Andy" <William.Adamson@netapp.com>
To: Nico Williams <nico@cryptonector.com>
Thread-Topic: [kitten] [nfsv4] rpcsec-gssv3 multi-principal authentication
Thread-Index: AQHPvIu/oTjXtXsIRU6yu54YN8rMk5vunpMAgAC4SYCAAOO2gIAADJgAgAAPsICAAAL0gIAAAq+AgAASN4CAAAZ9AIAA9fQA
Date: Thu, 04 Sep 2014 11:57:43 +0000
Message-ID: <DD57BF66-1EB8-476E-B4C5-CD4FFB8AA401@netapp.com>
References: <alpine.GSO.1.10.1407311902230.21571@multics.mit.edu> <9BF7E3EA-59DB-4B91-A27A-659790AED727@netapp.com> <alpine.GSO.1.10.1408030153400.21571@multics.mit.edu> <alpine.GSO.1.10.1408201123060.21571@multics.mit.edu> <alpine.GSO.1.10.1409021306240.21571@multics.mit.edu> <20140903041240.GG2664@localhost> <20140903174741.GA24790@fieldses.org> <CAK3OfOipM10jM=e59q8hZd7niQGinQgWSBVFjKVabKRkvH1HUg@mail.gmail.com> <20140903192855.GA25363@fieldses.org> <CAK3OfOg9KSu7eK8a9zf24gJ92xegJhHvGXX1EEYhuPKE=Q87Vw@mail.gmail.com> <20140903194905.GB25363@fieldses.org> <alpine.GSO.1.10.1409031653010.21571@multics.mit.edu> <CAK3OfOhg8jSGECj-uAEh646Bw9Zb+oT_n8fwtHfk9HYvy30QkQ@mail.gmail.com>
In-Reply-To: <CAK3OfOhg8jSGECj-uAEh646Bw9Zb+oT_n8fwtHfk9HYvy30QkQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.1874)
x-originating-ip: [10.120.60.34]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <4A5358F60BCE3A4F9C37AB7E31B3519A@hq.netapp.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/knx5sDu0ol0wtgZQ4rn_09nkfho
Cc: "J. Bruce Fields" <bfields@fieldses.org>, "kitten@ietf.org" <kitten@ietf.org>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal authentication
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 11:58:01 -0000
On Sep 3, 2014, at 5:17 PM, Nico Williams <nico@cryptonector.com> wrote: > On Wed, Sep 3, 2014 at 3:54 PM, Benjamin Kaduk <kaduk@mit.edu> wrote: >> On Wed, 3 Sep 2014, J. Bruce Fields wrote: >>> Sounds like there's work to do. >> >> I agree. > > I agree. I wrote this eons ago and never got to implement. > > Multi-principal authentication is critical for security on multi-user > clients. We should get it right. Yes. But! If we add more structure to prevent aliasing - e.g. attach it to a client machine (or clientid) then it will prevent it’s use in NFSv4.2 Inter server to server copy where the user principal on one client machine is permitting another client (the destination server acting as a client) to act on it’s behalf. I say we keep the current nonce and simply insist on privacy. This will prevent aliasing and yet allow ti’s only current use case. —>Andy > > Nico > -- > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten
- [kitten] draft-ietf-nfsv4-rpcsec-gssv3: request f… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- [kitten] rpcsec-gssv3 multi-principal authenticat… Benjamin Kaduk
- Re: [kitten] rpcsec-gssv3 multi-principal authent… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] rpcsec-gssv3 multi-principal authent… Adamson, Andy
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
- Re: [kitten] rpcsec-gssv3 multi-principal authent… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Adamson, Andy
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk