Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-00.txt
Greg Hudson <ghudson@mit.edu> Sun, 01 February 2015 17:38 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B11811A1A50 for <kitten@ietfa.amsl.com>; Sun, 1 Feb 2015 09:38:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Level:
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lBdJlbI9aGvE for <kitten@ietfa.amsl.com>; Sun, 1 Feb 2015 09:38:04 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 006D51A1A45 for <kitten@ietf.org>; Sun, 1 Feb 2015 09:38:03 -0800 (PST)
X-AuditID: 12074425-f798e6d000000d1a-ff-54ce647ad6c3
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id AF.FF.03354.A746EC45; Sun, 1 Feb 2015 12:38:02 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t11Hbulc028065; Sun, 1 Feb 2015 12:37:57 -0500
Received: from [18.101.8.94] (vpn-18-101-8-94.mit.edu [18.101.8.94]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t11Hbsga017627 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 1 Feb 2015 12:37:56 -0500
Message-ID: <54CE6472.9050408@mit.edu>
Date: Sun, 01 Feb 2015 12:37:54 -0500
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Benjamin Kaduk <kaduk@mit.edu>, kitten@ietf.org
References: <20150123003504.3896.40306.idtracker@ietfa.amsl.com> <alpine.GSO.1.10.1501291713230.23489@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1501291713230.23489@multics.mit.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrEIsWRmVeSWpSXmKPExsUixCmqrVuVci7EYPMvNYujm1exODB6LFny kymAMYrLJiU1J7MstUjfLoErY/+es6wFTZwVf9r2MTcwLmXvYuTkkBAwkXiwYxYbhC0mceHe eiCbi0NIYDGTxOu1L9ghnA2MEq33DrJAOAeYJDZM6QZr5xVQk5h3pZERxGYRUJV4dnEuE4jN JqAssX7/VqAGDg5RgTCJ882MEOWCEidnPmEBsUUEjCXu/rwBZgsLeEt0HroO1iokUCbRvqOB FcTmFHCSePnpIFicWUBPYsf1X6wQtrxE89bZzBMYBWYhGTsLSdksJGULGJlXMcqm5Fbp5iZm 5hSnJusWJyfm5aUW6Vro5WaW6KWmlG5iBAUlu4vqDsYJh5QOMQpwMCrx8C64fDZEiDWxrLgy 9xCjJAeTkijvwv1AIb6k/JTKjMTijPii0pzU4kOMEhzMSiK8eepAOd6UxMqq1KJ8mJQ0B4uS OO+mH3whQgLpiSWp2ampBalFMFkZDg4lCd7M5HMhQoJFqempFWmZOSUIaSYOTpDhPEDDF4HU 8BYXJOYWZ6ZD5E8xKkqJ87aAJARAEhmleXC9sKTxilEc6BVhXk6QKh5gwoHrfgU0mAlo8LJJ Z0AGlyQipKQaGJO0vKb/lH3l+3hjUOI927W35lh+9mvK2vrUSUfy1lLuBxZX9tacNf970C9m /TKOU96nLSKunBWp2nw98eCj1MYcx/1fJfk22fode58+QaN/f8XO9nzdtJ5TC9IjrkYud13L 4tchWfWLbyH7inUdU+R4rjRsfhnAv72loeSipC37hXO5e1zsviuxFGckGmoxFxUnAgAoQuTw 9QIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/mc1GxOm5u1bNx8td66jsgZN9QRo>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-00.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Feb 2015 17:38:05 -0000
I have some questions, mostly related to PA-AS-FRESHNESS-REQUEST: 1. Is this padata type needed at all? The only benefit I can see is that KDCs can omit PA-AS-FRESHNESS from the PREAUTH_REQUIRED hint list if the client doesn't support it, but that benefit vanishes as more clients support the new feature. 2. If it is needed, does it need to have a different padata type value from PA-AS-FRESHNESS? 3. The draft defines "PA-AS-FRESHNESS-REQUEST ::= NULL". Is the intent that the client will use a padata-value of 05 00 (an ASN.1 NULL value encoded in DER)? An empty padata-value would be more traditional and more compact. 4. The draft defines "PA-AS-FRESHNESS ::= OCTET STRING". Is it desirable to wrap the freshness token in a DER OCTET STRING tag, or could we just transmit the value directly within the padata-value? Of course the value still needs to have type OCTET STRING within the PKAuthenticator. 5. It looks like this mechanism is general enough to be used by other preauthentication mechanisms in the future, if they have similar requirements. Perhaps the RFC should explicitly call out that possibility.
- [kitten] I-D Action: draft-ietf-kitten-pkinit-fre… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Benjamin Kaduk
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Greg Hudson
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Michiko Short
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Greg Hudson