Re: [kitten] draft-ietf-kitten-rfc4402bis-00 (was: Re: WGLC for three "bis" documents: draft-ietf-kitten-rfc4402bis-00, draft-ietf-kitten-rfc5653bis-01, draft-ietf-kitten-rfc6112bis-00)

Shawn M Emery <shawn.emery@oracle.com> Tue, 17 February 2015 04:12 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49F791A8703 for <kitten@ietfa.amsl.com>; Mon, 16 Feb 2015 20:12:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Up1VlIEbZXKu for <kitten@ietfa.amsl.com>; Mon, 16 Feb 2015 20:12:30 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9466F1A8701 for <kitten@ietf.org>; Mon, 16 Feb 2015 20:12:30 -0800 (PST)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t1H4CTxR030202 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <kitten@ietf.org>; Tue, 17 Feb 2015 04:12:29 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id t1H4CSs7024908 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <kitten@ietf.org>; Tue, 17 Feb 2015 04:12:29 GMT
Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id t1H4CS7n026824 for <kitten@ietf.org>; Tue, 17 Feb 2015 04:12:28 GMT
Received: from [10.159.84.144] (/10.159.84.144) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 16 Feb 2015 20:12:28 -0800
Message-ID: <54E2BFE4.4000003@oracle.com>
Date: Mon, 16 Feb 2015 21:13:24 -0700
From: Shawn M Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:17.0) Gecko/20150125 Thunderbird/17.0.11
MIME-Version: 1.0
To: "kitten@ietf.org" <kitten@ietf.org>
References: <alpine.GSO.1.10.1501201753140.23489@multics.mit.edu> <54CE9F5B.9070808@mit.edu> <alpine.GSO.1.10.1502131258090.3953@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1502131258090.3953@multics.mit.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/oaGDuH3lgotRON0XztcEFEN2t2w>
Subject: Re: [kitten] draft-ietf-kitten-rfc4402bis-00 (was: Re: WGLC for three "bis" documents: draft-ietf-kitten-rfc4402bis-00, draft-ietf-kitten-rfc5653bis-01, draft-ietf-kitten-rfc6112bis-00)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 04:12:32 -0000

Thanks for your review, comments in-line...

On 02/13/15 11:16 AM, Benjamin Kaduk wrote:
> On Sun, 1 Feb 2015, Greg Hudson wrote:
>
>> On 01/20/2015 06:02 PM, Benjamin Kaduk wrote:
>>> http://tools.ietf.org/html/draft-ietf-kitten-rfc4402bis-00
>> I reviewed this and did not find any problems with it.
> I also did not find any substantive issues with it.  Some non-substantive
> issues are noted below.
>
>
> The reference for the Kerberos V GSS-API mechanism in section 1.1 seems to
> have changed from RFC 4121 to RFC 1964; is this a correct change?

Good catch.  The XML source obtained referenced this back when it was a 
draft.  I've updated accordingly.

>
> The RFC 2119 language conventions statement has been moved later in the
> document, after at least the first occurrence of "MUST".  It would be nice
> to have the RFC 2119 text before the first use of its keywords.

Yes, this is awkward.  I've updated accordingly.

> The original RFC 4402 security considerations include:
>
>     [...] if an
>     application can be tricked into providing very large input octet
>     strings and requesting very long output octet strings, then that may
>     constitute a denial of service attack on the application; therefore,
>     applications SHOULD place appropriate limits on the size of any input
>     octet strings received from their peers without integrity protection.
>
> It is not clear to me that integrity protection is sufficient to alleviate
> the denial of service attack, since verifying the message integrity may
> itself consume a substantial amount of resources.

I interpret this statement differently:

     If integrity protection is not enforced then an attacker can 
construct an arbitrarily long string.

> In the added text,
>
> % This document obsoletes RFC 4402 and reclassifies that document as
> % historic.  RFC 4402 starts the PRF+ counter at 1, however a number
> % implementations starts the counter at 0.  As a result, the original
>
> it should be "a number of implementations start" (add "of" and remove 's'
> from "starts") to be grammatical.
>
>
> Thanks again to Greg for supplying the test vectors.

...and also to Nico who verified the vectors in Heimdal.  Eventual 
shepherd should take note...

Shawn.
--