IETF Logo Mail Archive

Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt

Nico Williams <nico@cryptonector.com> Fri, 18 September 2015 14:02 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01FA91B2C17 for <kitten@ietfa.amsl.com>; Fri, 18 Sep 2015 07:02:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9N8FPuTbONT for <kitten@ietfa.amsl.com>; Fri, 18 Sep 2015 07:02:53 -0700 (PDT)
Received: from homiemail-a102.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 1AF5A1B2C0D for <kitten@ietf.org>; Fri, 18 Sep 2015 07:02:53 -0700 (PDT)
Received: from homiemail-a102.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a102.g.dreamhost.com (Postfix) with ESMTP id BEF8720047B85; Fri, 18 Sep 2015 07:02:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=wH5YbYZ3mD0gWj aiRvpvPwuVlWk=; b=m5UTnOxHB6wnaphqT/whUeATOjsPBZpAP5CYgOJAjsSkNF 4WGHDX7a9MQEoDR97DCiKcmxswtg4T/BBEb1LtV3hFefoZOmf3EI1YdyJSWMLx4G CK4qUFdMSEiqsePb0gB/VKRAeccFgPoi7Hb+nSwL55mVCqqEQe3pIH51Y6p1s=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (Authenticated sender: nico@cryptonector.com) by homiemail-a102.g.dreamhost.com (Postfix) with ESMTPA id 936C320047B88; Fri, 18 Sep 2015 07:02:50 -0700 (PDT)
Date: Fri, 18 Sep 2015 09:02:48 -0500
From: Nico Williams <nico@cryptonector.com>
To: Rick van Rein <rick@openfortress.nl>
Message-ID: <20150918140247.GB13294@localhost>
References: <20150915143628.21162.89108.idtracker@ietfa.amsl.com> <55F82DA5.10504@openfortress.nl> <alpine.GSO.1.10.1509172254390.26829@multics.mit.edu> <55FBF0C8.6090904@openfortress.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <55FBF0C8.6090904@openfortress.nl>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/lmE34HKGHNFAUSN7r7lBi9n9kig>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2015 14:02:57 -0000

On Fri, Sep 18, 2015 at 01:08:56PM +0200, Rick van Rein wrote:
> Or, we could simply say
> 
>    "All retrieved _kerberos PTR data MUST be cast to all-uppercase characters
>    before processing with Kerberos and/or GSS-API.  This compensates for the
>    uncertainty of case mappings in DNS.  Kerberos realms that want to be
>    reachable through these PTR records MUST accept requests with the
>    realm name in all-uppercase form."

I'm very reluctant to agree to that, but I'd agree to saying that a TGS
client should first try the realm as it appears in the PTR RR and then
as up-cased if the first failed.

> This does not change the semantics of Kerberos AFAIK, and it remains open to

To be clear, there isn't and never has been a requirement that realm
names be upper-case.  Therefore your proposal would be in conflict with
Kerberos semantics, and the only saving grace is that sites with
non-all-upper-case realm names could simply not use PTR RRs this way.

> future changes in case handling in the KDC.  The mapping to uppercase is not
> a compensation for a temporary condition, but for the permanent uncertainty
> around case handling of PTR record data.

I realize that asking implementors to support realm aliasing is probably
a lot, but maybe not that much.  KDCs already have a list of realms
served.

The only thing that concerns me is how to canonicalize realm names for
name-based authorization.  This is the case where an AS client used an
alias realm name and now cannot get authorized to access some resources.
A service could canonicalize the client's realm name, but without a hint
from the KDC this won't scale.  The simplest thing to do is to reject
such AS-REQs and require that the client know the user's canonical
realm.  The next simplest thing to do would be to extend the AS protocol
to allow the AS to tell the client its canonical realm.  The next
simplest (and, really, hardest) thing to do would be to include
authz-data in tickets telling services the canonical form of the
client's realm.

> Shall I formulate the above in an individual submission and leave it to Kitten
> whether they want to lift it up the a WG spec?  That way we'd at least be out
> of the current impasse on this matter.

Sure.

Nico
--

v2.23.0 | Report a Bug | By Email