IETF Logo Mail Archive

Re: [kitten] Token Preauth for Kerberos

Nathaniel McCallum <npmccallum@redhat.com> Wed, 11 June 2014 14:52 UTC

Return-Path: <npmccallum@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 705C91A0141 for <kitten@ietfa.amsl.com>; Wed, 11 Jun 2014 07:52:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SyiA8cZi3_5v for <kitten@ietfa.amsl.com>; Wed, 11 Jun 2014 07:52:11 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 05C7E1A0127 for <kitten@ietf.org>; Wed, 11 Jun 2014 07:52:10 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s5BEq9GW007246 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Jun 2014 10:52:10 -0400
Received: from vpn-52-75.rdu2.redhat.com (vpn-52-75.rdu2.redhat.com [10.10.52.75]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s5BEq4cT027981 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NO); Wed, 11 Jun 2014 10:52:07 -0400
Message-ID: <1402498324.2955.2.camel@ipa.example.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: "Zheng, Kai" <kai.zheng@intel.com>
Date: Wed, 11 Jun 2014 10:52:04 -0400
In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B666118D8E14@SHSMSX103.ccr.corp.intel.com>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com> <5397328E.6020005@mit.edu> <8D5F7E3237B3ED47B84CF187BB17B666118D8E14@SHSMSX103.ccr.corp.intel.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/nN-klsmxitDJVGDyv5Q9bFByi6w
X-Mailman-Approved-At: Wed, 11 Jun 2014 16:40:54 -0700
Cc: "kitten@ietf.org" <kitten@ietf.org>, "Jiang, Weihua" <weihua.jiang@intel.com>, "krbdev@mit.edu" <krbdev@mit.edu>
Subject: Re: [kitten] Token Preauth for Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jun 2014 14:53:25 -0000

On Wed, 2014-06-11 at 08:15 +0000, Zheng, Kai wrote:
> Hi Greg,
> 
> Thanks for your valuable feedback and suggestions!
> 
> 1. Yes you're right I'm taking the OTP approach and use the FAST armor key as the reply key. As mentioned in the proposal we suggest PKINIT be deployed along with this mechanism,
> And client uses PKINIT anonymous to obtain the armor ticket. It doesn't provide mutual authentication since only KDC is authenticated to client with the configured certificate of KDC and 
> client doesn't due to lacking of certificate as to avoid the deployment overhead in our solution. So protecting the token here in AS-REQ exchange mainly depends on the FAST tunnel and
> client should be careful about the armor ticket.

You may be interested in this proposal:
http://mailman.mit.edu/pipermail/krbdev/2014-May/011958.html

Nathaniel

v2.30.2 | Report a Bug | By Email | System Status