Re: [kitten] Token Preauth for Kerberos
Greg Hudson <ghudson@MIT.EDU> Tue, 08 July 2014 16:33 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 422271B2BB1 for <kitten@ietfa.amsl.com>; Tue, 8 Jul 2014 09:33:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.252
X-Spam-Level:
X-Spam-Status: No, score=-3.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mmln899X3jVv for <kitten@ietfa.amsl.com>; Tue, 8 Jul 2014 09:33:32 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 8FE6F1B2BB5 for <kitten@ietf.org>; Tue, 8 Jul 2014 09:33:27 -0700 (PDT)
X-AuditID: 12074422-f79be6d000007518-c9-53bc1d560314
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 5F.A9.29976.65D1CB35; Tue, 8 Jul 2014 12:33:27 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id s68GXP1a008198; Tue, 8 Jul 2014 12:33:26 -0400
Received: from [18.101.8.71] (vpn-18-101-8-71.mit.edu [18.101.8.71]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s68GXNxa012533 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 8 Jul 2014 12:33:25 -0400
Message-ID: <53BC1D53.6040106@mit.edu>
Date: Tue, 08 Jul 2014 12:33:23 -0400
From: Greg Hudson <ghudson@MIT.EDU>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "Zheng, Kai" <kai.zheng@intel.com>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com> <1402609038.22737.57.camel@willson.usersys.redhat.com> <8D5F7E3237B3ED47B84CF187BB17B666118ED023@SHSMSX103.ccr.corp.intel.com> <1402663277.22737.60.camel@willson.usersys.redhat.com> <8D5F7E3237B3ED47B84CF187BB17B666118F09D8@SHSMSX103.ccr.corp.intel.com> <1403009009.22737.129.camel@willson.usersys.redhat.com> <8D5F7E3237B3ED47B84CF187BB17B666118FB475@SHSMSX103.ccr.corp.intel.com>
In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B666118FB475@SHSMSX103.ccr.corp.intel.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplleLIzCtJLcpLzFFi42IRYrdT1w2X3RNs8PcRk8X61tMsFkc3r2Jx YPJYsuQnk8fiPS+ZApiiuGxSUnMyy1KL9O0SuDIuX9nDUvCFtWLtiV8sDYxvWLoYOTkkBEwk Ll5fxQxhi0lcuLeerYuRi0NIYDaTxI/ra5khnA2MEo97TrNCOAeYJDb/vM8E0sIroCZx+sQD dhCbRUBV4vDGZ2wgNpuAssTBs9/AVogKhEl8PLqODaJeUOLkzCdgcRGg3vXnd7GC2MwCXhKz zj0Es4UFDCS6792EOuMis8Tq3/cYuxg5ODgFQiQONftAnCopsW3RMXaIXh2Jd30PmCFseYnt b+cwT2AUmoVk3SwkZbOQlC1gZF7FKJuSW6Wbm5iZU5yarFucnJiXl1qka6qXm1mil5pSuokR HNouSjsYfx5UOsQowMGoxMN7gnNPsBBrYllxZe4hRkkOJiVR3glMQCG+pPyUyozE4oz4otKc 1OJDjBIczEoivMsFgXK8KYmVValF+TApaQ4WJXHet9ZWwUIC6YklqdmpqQWpRTBZGQ4OJQne I9JAjYJFqempFWmZOSUIaSYOTpDhPEDDD4LU8BYXJOYWZ6ZD5E8xKkqJ896VAkoIgCQySvPg emGp5xWjONArwryXQdp5gGkLrvsV0GAmoMGf3+8AGVySiJCSamA0KHoXsvsAK0+j9LVP+X43 ra7Nd4xccC62Ik7625ZtbxtYu5583fr/zotZQVPNXom+k9gxd+Yuk/+zZwRPS8h0ntO/Upn/ WaJYwIKdj669X86xZEr5h+shgZ+v2f+MVpnleCA59zDfRUu2sHVxX6ryLvJwV/qpu5wPDVgj yD2zcOPNh/KLol3ClViKMxINtZiLihMBKrMzgRgDAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/lewHuvPhVo0v2sc9OA7HFwkKdns
Cc: "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@mit.edu>
Subject: Re: [kitten] Token Preauth for Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 16:33:35 -0000
On 07/08/2014 08:10 AM, Zheng, Kai wrote: > How about having a new one like AD-TOKEN that contains the token derivation. To me, this sounds like creating a container-of-anything within an existing container-of-anything. That is, if you see something within an AD-TOKEN subcontainer, you don't know anything about what it is, only something about where it came from and how it is encoded. An advantage of the subcontainer approach is that the KDC can be fairly dumb. But the server application has to be correspondingly smart; if a semantically equivalent piece of authorization data could exist in one of several subcontainers, each with its own encoding, then it must understand all of the different subcontainers and search within each.
- [kitten] Token Preauth for Kerberos Zheng, Kai
- Re: [kitten] Token Preauth for Kerberos Thomas Hardjono
- Re: [kitten] Token Preauth for Kerberos Greg Hudson
- Re: [kitten] Token Preauth for Kerberos Nordgren, Bryce L -FS
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai
- [kitten] Verified authorization data Peter Mogensen
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai
- Re: [kitten] Verified authorization data Simo Sorce
- Re: [kitten] Verified authorization data Peter Mogensen
- Re: [kitten] Verified authorization data Simo Sorce
- Re: [kitten] Token Preauth for Kerberos Nathaniel McCallum
- Re: [kitten] Verified authorization data Peter Mogensen
- Re: [kitten] Verified authorization data Simo Sorce
- Re: [kitten] Verified authorization data Peter Mogensen
- Re: [kitten] Verified authorization data Simo Sorce
- Re: [kitten] Verified authorization data Peter Mogensen
- Re: [kitten] Verified authorization data Simo Sorce
- Re: [kitten] Verified authorization data Peter Mogensen
- Re: [kitten] Verified authorization data Simo Sorce
- Re: [kitten] Token Preauth for Kerberos Simo Sorce
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai
- Re: [kitten] Token Preauth for Kerberos Wang Weijun
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai
- Re: [kitten] Token Preauth for Kerberos Simo Sorce
- Re: [kitten] Token Preauth for Kerberos Dr. Greg Wettstein
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai
- Re: [kitten] Token Preauth for Kerberos Simo Sorce
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai
- Re: [kitten] Token Preauth for Kerberos Greg Hudson
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai
- Re: [kitten] Token Preauth for Kerberos Benjamin Kaduk
- Re: [kitten] Token Preauth for Kerberos Zheng, Kai