Re: [kitten] draft-ietf-kitten-rfc4402bis-00 (was: Re: WGLC for three "bis" documents: draft-ietf-kitten-rfc4402bis-00, draft-ietf-kitten-rfc5653bis-01, draft-ietf-kitten-rfc6112bis-00)
Shawn M Emery <shawn.emery@oracle.com> Tue, 17 February 2015 04:12 UTC
Return-Path: <shawn.emery@oracle.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49F791A8703 for <kitten@ietfa.amsl.com>; Mon, 16 Feb 2015 20:12:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Up1VlIEbZXKu for <kitten@ietfa.amsl.com>; Mon, 16 Feb 2015 20:12:30 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9466F1A8701 for <kitten@ietf.org>; Mon, 16 Feb 2015 20:12:30 -0800 (PST)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t1H4CTxR030202 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <kitten@ietf.org>; Tue, 17 Feb 2015 04:12:29 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id t1H4CSs7024908 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <kitten@ietf.org>; Tue, 17 Feb 2015 04:12:29 GMT
Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id t1H4CS7n026824 for <kitten@ietf.org>; Tue, 17 Feb 2015 04:12:28 GMT
Received: from [10.159.84.144] (/10.159.84.144) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 16 Feb 2015 20:12:28 -0800
Message-ID: <54E2BFE4.4000003@oracle.com>
Date: Mon, 16 Feb 2015 21:13:24 -0700
From: Shawn M Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:17.0) Gecko/20150125 Thunderbird/17.0.11
MIME-Version: 1.0
To: "kitten@ietf.org" <kitten@ietf.org>
References: <alpine.GSO.1.10.1501201753140.23489@multics.mit.edu> <54CE9F5B.9070808@mit.edu> <alpine.GSO.1.10.1502131258090.3953@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1502131258090.3953@multics.mit.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/oaGDuH3lgotRON0XztcEFEN2t2w>
Subject: Re: [kitten] draft-ietf-kitten-rfc4402bis-00 (was: Re: WGLC for three "bis" documents: draft-ietf-kitten-rfc4402bis-00, draft-ietf-kitten-rfc5653bis-01, draft-ietf-kitten-rfc6112bis-00)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 04:12:32 -0000
Thanks for your review, comments in-line... On 02/13/15 11:16 AM, Benjamin Kaduk wrote: > On Sun, 1 Feb 2015, Greg Hudson wrote: > >> On 01/20/2015 06:02 PM, Benjamin Kaduk wrote: >>> http://tools.ietf.org/html/draft-ietf-kitten-rfc4402bis-00 >> I reviewed this and did not find any problems with it. > I also did not find any substantive issues with it. Some non-substantive > issues are noted below. > > > The reference for the Kerberos V GSS-API mechanism in section 1.1 seems to > have changed from RFC 4121 to RFC 1964; is this a correct change? Good catch. The XML source obtained referenced this back when it was a draft. I've updated accordingly. > > The RFC 2119 language conventions statement has been moved later in the > document, after at least the first occurrence of "MUST". It would be nice > to have the RFC 2119 text before the first use of its keywords. Yes, this is awkward. I've updated accordingly. > The original RFC 4402 security considerations include: > > [...] if an > application can be tricked into providing very large input octet > strings and requesting very long output octet strings, then that may > constitute a denial of service attack on the application; therefore, > applications SHOULD place appropriate limits on the size of any input > octet strings received from their peers without integrity protection. > > It is not clear to me that integrity protection is sufficient to alleviate > the denial of service attack, since verifying the message integrity may > itself consume a substantial amount of resources. I interpret this statement differently: If integrity protection is not enforced then an attacker can construct an arbitrarily long string. > In the added text, > > % This document obsoletes RFC 4402 and reclassifies that document as > % historic. RFC 4402 starts the PRF+ counter at 1, however a number > % implementations starts the counter at 0. As a result, the original > > it should be "a number of implementations start" (add "of" and remove 's' > from "starts") to be grammatical. > > > Thanks again to Greg for supplying the test vectors. ...and also to Nico who verified the vectors in Heimdal. Eventual shepherd should take note... Shawn. --
- [kitten] On stream-based GSSContext methods in RF… Wang Weijun
- Re: [kitten] On stream-based GSSContext methods i… Weijun Wang
- Re: [kitten] On stream-based GSSContext methods i… Nico Williams
- Re: [kitten] On stream-based GSSContext methods i… Nico Williams
- Re: [kitten] On stream-based GSSContext methods i… Thomas Maslen
- Re: [kitten] On stream-based GSSContext methods i… Wang Weijun
- Re: [kitten] WGLC for three "bis" documents: draf… Sam Hartman
- Re: [kitten] WGLC for three "bis" documents: draf… Shawn M Emery
- Re: [kitten] WGLC for three "bis" documents: draf… Weijun Wang
- Re: [kitten] WGLC for three "bis" documents: draf… Martin Rex
- [kitten] WGLC for three "bis" documents: draft-ie… Benjamin Kaduk
- Re: [kitten] WGLC for three "bis" documents: draf… Benjamin Kaduk
- Re: [kitten] WGLC for three "bis" documents: draf… Weijun Wang
- Re: [kitten] WGLC for three "bis" documents: draf… Greg Hudson
- Re: [kitten] WGLC for three "bis" documents: draf… Wang Weijun
- Re: [kitten] WGLC for three "bis" documents: draf… Benjamin Kaduk
- [kitten] draft-ietf-kitten-rfc5653bis-02 review Benjamin Kaduk
- Re: [kitten] WGLC for three "bis" documents: draf… Greg Hudson
- Re: [kitten] WGLC for three "bis" documents: draf… Weijun Wang
- Re: [kitten] WGLC for three "bis" documents: draf… Benjamin Kaduk
- Re: [kitten] WGLC for three "bis" documents: draf… Weijun Wang
- Re: [kitten] WGLC for three "bis" documents: draf… Benjamin Kaduk
- Re: [kitten] WGLC for three "bis" documents: draf… Benjamin Kaduk
- Re: [kitten] WGLC for three "bis" documents: draf… Weijun Wang
- Re: [kitten] WGLC for three "bis" documents: draf… Weijun Wang
- Re: [kitten] WGLC for three "bis" documents: draf… Greg Hudson
- Re: [kitten] WGLC for three "bis" documents: draf… Weijun Wang
- Re: [kitten] WGLC for three "bis" documents: draf… Bill Mills
- Re: [kitten] WGLC for three "bis" documents: draf… Greg Hudson
- Re: [kitten] draft-ietf-kitten-rfc5653bis-02 revi… Wang Weijun
- Re: [kitten] last week of WGLC for three "bis" do… Benjamin Kaduk
- Re: [kitten] WGLC for three "bis" documents: draf… Benjamin Kaduk
- Re: [kitten] WGLC for three "bis" documents: draf… Nico Williams
- Re: [kitten] WGLC for three "bis" documents: draf… Nico Williams
- Re: [kitten] draft-ietf-kitten-rfc5653bis-02 revi… Nico Williams
- Re: [kitten] draft-ietf-kitten-rfc5653bis-02 revi… Nico Williams
- Re: [kitten] draft-ietf-kitten-rfc4402bis-00 (was… Shawn M Emery
- Re: [kitten] WGLC for three "bis" documents: draf… Benjamin Kaduk
- Re: [kitten] draft-ietf-kitten-rfc4402bis-00 (was… Benjamin Kaduk
- Re: [kitten] draft-ietf-kitten-rfc4402bis-00 (was… Nico Williams
- Re: [kitten] WGLC for three "bis" documents: draf… Benjamin Kaduk
- Re: [kitten] WGLC for three "bis" documents: draf… Benjamin Kaduk
- Re: [kitten] draft-ietf-kitten-rfc4402bis-00 Shawn M Emery