[kitten] shepherd review of draft-ietf-kitten-krb-auth-indicator-02
Benjamin Kaduk <kaduk@MIT.EDU> Sun, 25 September 2016 23:20 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1F8412B040; Sun, 25 Sep 2016 16:20:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.517
X-Spam-Level:
X-Spam-Status: No, score=-6.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9wiQBHHRgQn; Sun, 25 Sep 2016 16:20:35 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB53612B047; Sun, 25 Sep 2016 16:20:29 -0700 (PDT)
X-AuditID: 12074425-ed7ff700000024c2-1f-57e85bbb613e
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 8A.53.09410.BBB58E75; Sun, 25 Sep 2016 19:20:28 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u8PNKRYN024441; Sun, 25 Sep 2016 19:20:27 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u8PNKOiC014786 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 25 Sep 2016 19:20:26 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u8PNKNf5007354; Sun, 25 Sep 2016 19:20:23 -0400 (EDT)
Date: Sun, 25 Sep 2016 19:20:23 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: draft-ietf-kitten-krb-auth-indicator@ietf.org
Message-ID: <alpine.GSO.1.10.1609251734290.5272@multics.mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrIIsWRmVeSWpSXmKPExsUixG6nrrsn+kW4wdlz/BaHb+xitzi6eRWL A5PHkiU/mQIYo7hsUlJzMstSi/TtErgyjh/tZCmYL1fx8OYV9gbGGxJdjJwcEgImEn3XzjF1 MXJxCAm0MUmc/X+LBcLZyCjx9d59KOcQk8TJGWuYQVqEBBoYJRY89u1iZOdgEdCWOJgEEmUT UJGY+WYjWxcjB4eIgKHEyx4dkDCzgLDE+nMzwBqFBZwlvs17xgJi8wo4SBz9uAXMFhXQkVi9 fwpUXFDi5MwnLBC9WhLLp29jmcDINwtJahaS1AJGplWMsim5Vbq5iZk5xanJusXJiXl5qUW6 Fnq5mSV6qSmlmxjBIeWiuoNxzl+vQ4wCHIxKPLwLjj4PF2JNLCuuzD3EKMnBpCTKO+sCUIgv KT+lMiOxOCO+qDQntfgQowQHs5II79fQF+FCvCmJlVWpRfkwKWkOFiVx3q4ZB8KFBNITS1Kz U1MLUotgsjIcHEoSvC+igBoFi1LTUyvSMnNKENJMHJwgw3mAhteC1PAWFyTmFmemQ+RPMSpK ifMygSQEQBIZpXlwveCY382k+opRHOgVYd5wkCoeYLqA634FNJgJaPC3O09ABpckIqSkGhgF DOdblSzM2Zq5O1bYZs3890f6DvuXGD3NElh22Yv7XeWpXbnN2SdOc015lXzu3NTOlw0RB2+W pIsUdzAcbjtqzqH9MGTRpY5Jy1J0d5tw3M2dLJTge+Tqej9xp5TwYo/JwdJ+q48l5z4yXcMx Xb6A68SzNB8HPiE3efd/oftd/Vv+mv4q2abEUpyRaKjFXFScCADKpzqJ1AIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/lkoCQDv_fqGChInjzh_jJzD6C4Q>
Cc: kitten@ietf.org
Subject: [kitten] shepherd review of draft-ietf-kitten-krb-auth-indicator-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Sep 2016 23:20:41 -0000
Hi all, I've completed my shepherd review of draft-ietf-kitten-krb-auth-indicator-02, and unfortunately it seems that an additional revision may be needed. It feels like some parts of the document are written as if the "short strings" for comparison against known values are only for use when presented back to the KDC, but other parts of the document describe it as being used for policy decisions made by application services as well as the KDC. (If it was just the KDC that was handling it, the document would not need to specify, since KDC-internal things need not necessarily interoperate the way that public protocol elements do.) There is also the possibility (probability, really), of site-local values that are specific to a given realm. This is perhaps implied by the mention of "the name of the Pre-Authentication mechanism used" but not stated explicitly. The interoperability requirements for site-local values are less stringent, but there still needs to be a clear understanding of what the contents of the protocol field should be. So, I think that section 3 should be more stringent, saying something like "strings that contain a colon character MUST be URIs that reference a Level of Assurance Profile, leaving other strings available for site-local use". I also suspect that the last paragraph of the security considerations should be rewritten in a normative fashion and moved to section 3, to make it clear what the presence of a given string in the authdata indicates. (Do we know of reasons why someone might use this AD element to indicate something other than a positive indication that the indicated requirements were met during the initial authentication?) There's also some matter of form regarding the string "AD-AUTHENTICATION-INDICATOR", which should probably just be used for the definition of the ASN.1 type; the value 97 is the ad-type for which the contents of-the ad-data field will be the DER encoding of the AD-AUTHENTICATION-INDICATOR object. So, I would just say "The KDC MAY include authorization data of ad-type 97, wrapped in AD-CAMMAC, [...]" and skip the line that's just AD-AUTHENTICATION-INDICATOR 97 (and replace the colon with a full stop). Some other editorial notes: In the Abstract, s/the service tickets/service tickets/ In the Introduction, hyphenate "password-based". It's probably good to mention "or other preauthentication schemes" after public-key cryptography (which, hmm, should probably also be hyphenated), and make it into a comma-separated list. Is "have" the best word in "[i]mplmentations that have pre-authentication-mechanisms [...]"? Maybe "offer", "support", or "provide"? In the last sentence of the first paragraph, maybe "strength of the authentication that was used, for use as an input" would remove some ambiguity. In the second paragraph, maybe "to convey authentication strength information", and "Elements of this type [will|MUST] appear within an AD-CAMMAC". Also, it's probably worth a clause briefly saying why the CAMMAC is needed (to provide authenticity/integrity when a ticket is presented back to the KDC). The 2119 boilerplate doesn't list "NOT RECOMMENDED" but you don't use it, so maybe it doesn't need to change. In Section 3, it may be better to split the first sentence into two, so "The KDC MAY copy it from a ticket-granting ticket into service tickets" is a separate sentence, since the KDC can do the first without ever needing to do the latter. Still in Section 3, put a comma before "such as the name of the Pre-Authentication mechanism used". (Also, I sort-of want to ask "how short is a short string?", but there's not really a useful answer to give, particularly since the LoA URIs are in play and are likely to be longer than non-URI strings.) Thanks, Ben
- [kitten] shepherd review of draft-ietf-kitten-krb… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-ietf-kitten… Greg Hudson
- Re: [kitten] shepherd review of draft-ietf-kitten… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-ietf-kitten… Nathaniel McCallum
- Re: [kitten] shepherd review of draft-ietf-kitten… Nathaniel McCallum
- Re: [kitten] shepherd review of draft-ietf-kitten… Benjamin Kaduk
- [kitten] intended status and Updates: 4120 for dr… Benjamin Kaduk
- Re: [kitten] intended status and Updates: 4120 fo… Greg Hudson