IETF Logo Mail Archive

[kitten] shepherd review of draft-ietf-kitten-krb-auth-indicator-02

Benjamin Kaduk <kaduk@MIT.EDU> Sun, 25 September 2016 23:20 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1F8412B040; Sun, 25 Sep 2016 16:20:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.517
X-Spam-Level:
X-Spam-Status: No, score=-6.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9wiQBHHRgQn; Sun, 25 Sep 2016 16:20:35 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB53612B047; Sun, 25 Sep 2016 16:20:29 -0700 (PDT)
X-AuditID: 12074425-ed7ff700000024c2-1f-57e85bbb613e
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 8A.53.09410.BBB58E75; Sun, 25 Sep 2016 19:20:28 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u8PNKRYN024441; Sun, 25 Sep 2016 19:20:27 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u8PNKOiC014786 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 25 Sep 2016 19:20:26 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u8PNKNf5007354; Sun, 25 Sep 2016 19:20:23 -0400 (EDT)
Date: Sun, 25 Sep 2016 19:20:23 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: draft-ietf-kitten-krb-auth-indicator@ietf.org
Message-ID: <alpine.GSO.1.10.1609251734290.5272@multics.mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrIIsWRmVeSWpSXmKPExsUixG6nrrsn+kW4wdlz/BaHb+xitzi6eRWL A5PHkiU/mQIYo7hsUlJzMstSi/TtErgyjh/tZCmYL1fx8OYV9gbGGxJdjJwcEgImEn3XzjF1 MXJxCAm0MUmc/X+LBcLZyCjx9d59KOcQk8TJGWuYQVqEBBoYJRY89u1iZOdgEdCWOJgEEmUT UJGY+WYjWxcjB4eIgKHEyx4dkDCzgLDE+nMzwBqFBZwlvs17xgJi8wo4SBz9uAXMFhXQkVi9 fwpUXFDi5MwnLBC9WhLLp29jmcDINwtJahaS1AJGplWMsim5Vbq5iZk5xanJusXJiXl5qUW6 Fnq5mSV6qSmlmxjBIeWiuoNxzl+vQ4wCHIxKPLwLjj4PF2JNLCuuzD3EKMnBpCTKO+sCUIgv KT+lMiOxOCO+qDQntfgQowQHs5II79fQF+FCvCmJlVWpRfkwKWkOFiVx3q4ZB8KFBNITS1Kz U1MLUotgsjIcHEoSvC+igBoFi1LTUyvSMnNKENJMHJwgw3mAhteC1PAWFyTmFmemQ+RPMSpK ifMygSQEQBIZpXlwveCY382k+opRHOgVYd5wkCoeYLqA634FNJgJaPC3O09ABpckIqSkGhgF DOdblSzM2Zq5O1bYZs3890f6DvuXGD3NElh22Yv7XeWpXbnN2SdOc015lXzu3NTOlw0RB2+W pIsUdzAcbjtqzqH9MGTRpY5Jy1J0d5tw3M2dLJTge+Tqej9xp5TwYo/JwdJ+q48l5z4yXcMx Xb6A68SzNB8HPiE3efd/oftd/Vv+mv4q2abEUpyRaKjFXFScCADKpzqJ1AIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/lkoCQDv_fqGChInjzh_jJzD6C4Q>
Cc: kitten@ietf.org
Subject: [kitten] shepherd review of draft-ietf-kitten-krb-auth-indicator-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Sep 2016 23:20:41 -0000

Hi all,

I've completed my shepherd review of
draft-ietf-kitten-krb-auth-indicator-02, and unfortunately it seems that
an additional revision may be needed.

It feels like some parts of the document are written as if the "short
strings" for comparison against known values are only for use when
presented back to the KDC, but other parts of the document describe it as
being used for policy decisions made by application services as well as
the KDC.  (If it was just the KDC that was handling it, the document would
not need to specify, since KDC-internal things need not
necessarily interoperate the way that public protocol elements do.)  There
is also the possibility (probability, really), of site-local values that
are specific to a given realm.  This is perhaps implied by the mention of
"the name of the Pre-Authentication mechanism used" but not stated
explicitly.  The interoperability requirements for site-local values are
less stringent, but there still needs to be a clear understanding of what
the contents of the protocol field should be.

So, I think that section 3 should be more stringent, saying something like
"strings that contain a colon character MUST be URIs that reference a
Level of Assurance Profile, leaving other strings available for
site-local use".

I also suspect that the last paragraph of the security considerations
should be rewritten in a normative fashion and moved to section 3, to make
it clear what the presence of a given string in the authdata indicates.
(Do we know of reasons why someone might use this AD element to indicate
something other than a positive indication that the indicated requirements
were met during the initial authentication?)

There's also some matter of form regarding the string
"AD-AUTHENTICATION-INDICATOR", which should probably just be used for the
definition of the ASN.1 type; the value 97 is the ad-type for which the
contents of-the ad-data field will be the DER encoding of the
AD-AUTHENTICATION-INDICATOR object.  So, I would just say "The KDC MAY
include authorization data of ad-type 97, wrapped in AD-CAMMAC, [...]" and
skip the line that's just

AD-AUTHENTICATION-INDICATOR 97

(and replace the colon with a full stop).



Some other editorial notes:

In the Abstract, s/the service tickets/service tickets/

In the Introduction, hyphenate "password-based".  It's probably good to
mention "or other preauthentication schemes" after public-key cryptography
(which, hmm, should probably also be hyphenated), and make it into a
comma-separated list.  Is "have" the best word in "[i]mplmentations that
have pre-authentication-mechanisms [...]"?  Maybe "offer", "support", or
"provide"?  In the last sentence of the first paragraph, maybe "strength
of the authentication that was used, for use as an input" would remove
some ambiguity.  In the second paragraph, maybe "to convey authentication
strength information", and "Elements of this type [will|MUST] appear
within an AD-CAMMAC".  Also, it's probably worth a clause briefly saying
why the CAMMAC is needed (to provide authenticity/integrity when a ticket
is presented back to the KDC).

The 2119 boilerplate doesn't list "NOT RECOMMENDED" but you don't use it,
so maybe it doesn't need to change.

In Section 3, it may be better to split the first sentence into two, so
"The KDC MAY copy it from a ticket-granting ticket into service tickets"
is a separate sentence, since the KDC can do the first without ever
needing to do the latter.

Still in Section 3, put a comma before "such as the name of the
Pre-Authentication mechanism used".  (Also, I sort-of want to ask "how
short is a short string?", but there's not really a useful answer to give,
particularly since the LoA URIs are in play and are likely to be longer
than non-URI strings.)


Thanks,

Ben

v2.23.0 | Report a Bug | By Email