IETF Logo Mail Archive

Re: [kitten] intended status and Updates: 4120 for draft-ietf-kitten-krb-auth-indicator-02

Greg Hudson <ghudson@mit.edu> Thu, 17 November 2016 17:30 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CE921299B3; Thu, 17 Nov 2016 09:30:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.717
X-Spam-Level:
X-Spam-Status: No, score=-5.717 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1BD7BMCXLAus; Thu, 17 Nov 2016 09:30:20 -0800 (PST)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E00C61299AC; Thu, 17 Nov 2016 09:30:19 -0800 (PST)
X-AuditID: 12074422-9fbff70000005c4c-cb-582de92950b1
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 17.B2.23628.929ED285; Thu, 17 Nov 2016 12:30:18 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id uAHHUGko032747; Thu, 17 Nov 2016 12:30:17 -0500
Received: from [18.101.8.96] (vpn-18-101-8-96.mit.edu [18.101.8.96]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id uAHHUDhj028751 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 17 Nov 2016 12:30:15 -0500
To: Benjamin Kaduk <kaduk@mit.edu>, Nathaniel McCallum <npmccallum@redhat.com>
References: <alpine.GSO.1.10.1609251734290.5272@multics.mit.edu> <c0921ba3-7b3e-4716-736b-b73518dafe93@mit.edu> <1475081412.9001.8.camel@redhat.com> <alpine.GSO.1.10.1609292358310.5272@multics.mit.edu> <20161117071344.GO86797@kduck.kaduk.org>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <dabb73d8-e78f-8c06-65ab-2b5bc182ae92@mit.edu>
Date: Thu, 17 Nov 2016 12:30:13 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <20161117071344.GO86797@kduck.kaduk.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrIIsWRmVeSWpSXmKPExsUixCmqrKv1UjfC4Gk7j8XhG7vYLY5uXsVi MffrLFYHZo8lS34yebzfd5UtgCmKyyYlNSezLLVI3y6BK+Pe9m2MBVs4K7om9bE1MF5n72Lk 5JAQMJF40ncCyObiEBJoY5L48e0rK0hCSGAjo8Sb6wEQiUNMEp3z5zF2MXJwCAukSsz5EwBS IyLgJ3H92XI2iJpfjBKrTy9lA0kwCzhJPN94FWwQm4CyxPr9W1lAbF4BK4knu3qZQWwWAVWJ q6engF0hKhAhcethB1SNoMTJmU/AbE4BU4mZS6YyQszUk9hx/RcrhC0vsf3tHOYJjAKzkLTM QlI2C0nZAkbmVYyyKblVurmJmTnFqcm6xcmJeXmpRbqmermZJXqpKaWbGEEhy+6itINx4j+v Q4wCHIxKPLwLTulGCLEmlhVX5h5ilORgUhLlPf0EKMSXlJ9SmZFYnBFfVJqTWnyIUYKDWUmE N/EFUI43JbGyKrUoHyYlzcGiJM7L4P41XEggPbEkNTs1tSC1CCYrw8GhJMGbAdIoWJSanlqR lplTgpBm4uAEGc4DNHwe2PDigsTc4sx0iPwpRkUpcd6Dz4ASAiCJjNI8uF5wSknlSHjFKA70 ijDvzOdAVTzAdATX/QpoMBPQ4D0COiCDSxIRUlINjPmqrb95w3p2iLxaOuHL/z+/e35ces/7 vyuj8Gnhpjr39eIG36Le1rjcM2f2r9pl0bGSecnHJRKq+W5/XqTdy/4UYzhxVdOOHXJ7D51K NayS2bTrQkDTrZIp7Hc3L1i6msNn2qXJ/svcTH1vXZXgsWCJsfGZc3hFwZ5AHSvv383nvP5O 4VcxV1NiKc5INNRiLipOBAC0iWN/BAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/mBmTFvD_W75NaTvrtxcxrcg2yOU>
Cc: kitten@ietf.org, draft-ietf-kitten-krb-auth-indicator@ietf.org
Subject: Re: [kitten] intended status and Updates: 4120 for draft-ietf-kitten-krb-auth-indicator-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2016 17:30:21 -0000

On 11/17/2016 02:13 AM, Benjamin Kaduk wrote:
>> I do have one question, though: the new version says that the CAMMAC
>> requirement "exists to provide integrity protection from man-in-the-middle
>> attacks", which is a bit odd, since AuthorizationData appear within the
>> EncTicketPart (and the auth-indicator is not expected to appear "bare" in
>> KDC-REQ or Authenticators, since it is supposed to be KDC-issued).  So,
>> unfortunately, that sentence still leaves me confused.

I agree with Ben that this statement is incorrect.

If an auth indicator appeared with no container, or in an if-relevant
container, a server would not know if the value came from the KDC or
from the client (which can request arbitrary authdata at AS-REQ or
TGS-REQ time).

If an auth indicator appeared in a kdc-issued container, a server could
trust it, but the indicator couldn't be safely propagated over an
S4U2Proxy request.  Although that concern might not be relevant in all
deployments, we are requiring CAMMAC for simplicity, using the model
that CAMMAC is an upgraded kdc-issued.

I suggest removing the offending text; I cannot think of a pithy
replacement and I don't think we need it.

v2.23.0 | Report a Bug | By Email