IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Sat, 18 February 2023 00:24 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B3AFC15C522 for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 16:24:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ENOht_ItdgMy for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 16:24:01 -0800 (PST)
Received: from toucan.tulip.relay.mailchannels.net (toucan.tulip.relay.mailchannels.net [23.83.218.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F2B2C140661 for <kitten@ietf.org>; Fri, 17 Feb 2023 16:23:59 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 561F33E0F1A; Sat, 18 Feb 2023 00:23:56 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id DD49F3E103F; Sat, 18 Feb 2023 00:23:55 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1676679835; a=rsa-sha256; cv=none; b=jqz/KbzsVVOAqazR/fv0PVWK4X6OLprB6PJcgEkxrs4taqjQUts8ibjppLu0M6v4AC3dWg HgupuiEIG97nnoluEvL871rSA+ZaicvF5yYNaCqfDaA/56WYqZznpxorJi4IyJkC9jxdpM Wj8ROzZjG1F4I6P7F+CdQgsphL1PmpWv1eLD674sGDYEZ77xs+uxeHtxcUgId2UEf2Z949 kZlKVIvIDkNCIFZ/EcF7HsPCilUQyrYFdXkA73GCqlhdGVUdBvgs1MTBl8TiiR0eqQ0gYl DOJiwFURwHVRe1G1+N8EB2DNu5nA+HK7giKiD8ce7q1yGVn9e77YFSaFQ53MMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1676679835; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=XOXI9MJcO2siYIwatAXeBloub8RIR25d6G+aH7khlno=; b=2nQddWVet4llcwnMxhzHp+Q+yDx5IDSQpYTuOk/jZcczOkYXcvB4tRxbIx/ld1gRhtb5MH ZkJziISvYSa21geBZx9Q6i79vkv5lNtvbWe3ZmdxQlwpWaGcNpX6+JA66pp8A/EHt9z+r7 xPl8q1bRcADK4ZwPZXmPCiJtKlrXHl073HEeu6O1TnlhfM/+cqlUFNbGMATYUti4XO8GbX 7ImoKDOvRhHQZf4RQid2OUdO27hnQc+gIv7QIY5S6KMhIma8QMAtYigEpkJJ1l+jGUnTMB kEavMIZ9N4WvoJAph31BF0iezeaZuAcSyAJyUZkd4vdaBcR4yPkxUccVuiD/sA==
ARC-Authentication-Results: i=1; rspamd-9788b98bc-xwsvd; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Supply-Harmony: 787c1d212cc903c6_1676679836162_4054171092
X-MC-Loop-Signature: 1676679836162:1712413537
X-MC-Ingress-Time: 1676679836162
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.109.196.241 (trex/6.7.1); Sat, 18 Feb 2023 00:23:56 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PJTty6TG7zJG; Fri, 17 Feb 2023 16:23:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1676679835; bh=XOXI9MJcO2siYIwatAXeBloub8RIR25d6G+aH7khlno=; h=Date:From:To:Cc:Subject:Content-Type; b=idyfrjKTd2AdigOLaysRsLMzqBugf4lSdqoSPdTPMYSjcI2B5DKur5VGGYiMHPL0J m3hFiFCYHKuliloj14Ut0eQigk5MKxlddniMA9itueHx/IEJbNmhDzTlW5iwVW6q98 SvZQ0TOgRtNGjcSRD2rIfTPeYiQl+u20t6aRXFokwAJNd9CLlA0SlVzrfVpA5j9qhq 1LFOhwQjf/h74DI9WSUHBBFUDgwdMAvuYduZ3z6n2o+KAnJHhE2K3GB1j4ZqpEEdOk v8sydRuC2TOnedFShpVNuxWej+1+PYbKBW5MATGUqzzxR8Gim1nLxT7MQeKxbZrxBv +f6R1w+2czvNQ==
Date: Fri, 17 Feb 2023 18:23:52 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs=40microsoft.com@dmarc.ietf.org>
Cc: Jeffrey Altman <jaltman@secure-endpoints.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/AamL5pPJW1sYrv@gmail.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/AYFbD6wCrszskG@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Y/AYFbD6wCrszskG@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ojfS5CuHENQgRCv8obb62ebLd-c>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2023 00:24:05 -0000

In other words, the fix for rt #8021 was expedient and correct-enough,
but not really correct, while the correct fix would pollute the SPNEGO
implementation with knowledge of mechanism details it has heretofore
managed to avoid.

If we implement IAKERB in Heimdal we'll want to implement the more
correct fix that makes us sad.

Nico
--

v2.23.0 | Report a Bug | By Email