Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt
Rick van Rein <rick@openfortress.nl> Tue, 22 March 2016 00:40 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6740512D168; Mon, 21 Mar 2016 17:40:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UkZ6kUDn0iDT; Mon, 21 Mar 2016 17:40:20 -0700 (PDT)
Received: from lb1-smtp-cloud2.xs4all.net (lb1-smtp-cloud2.xs4all.net [194.109.24.21]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F2E412D16E; Mon, 21 Mar 2016 17:40:16 -0700 (PDT)
Received: from airhead.fritz.box ([83.161.146.46]) by smtp-cloud2.xs4all.net with ESMTP id Yog41s00V10HQrX01ogEwY; Tue, 22 Mar 2016 01:40:14 +0100
Message-ID: <56F0945E.5070804@openfortress.nl>
Date: Tue, 22 Mar 2016 01:39:58 +0100
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: draft-ietf-kitten-pkinit-freshness@ietf.org
References: <20160321223215.12211.35084.idtracker@ietfa.amsl.com>
In-Reply-To: <20160321223215.12211.35084.idtracker@ietfa.amsl.com>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/oxoUOOuvSqRBMapB-nK7by76H80>
Cc: kitten@ietf.org
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 00:40:22 -0000
Hi, > Abstract: > This document describes how to further extend the Public Key > Cryptography for Initial Authentication in Kerberos (PKINIT) > extension [RFC4556] to exchange an opaque data blob that a KDC can > validate to ensure that the client is currently in possession of the > private key during a PKINIT AS exchange. > If I read the draft correctly, then failure of the client to comply with the KDC's idea of proper freshness quoting can end up in an infinite cycle of KRB-ERROR with freshness tokens? There is a remark about receiving the second KRB-ERROR with a freshness token (not of the first) but nothing seems to be limiting the number of freshness token handling cycles. Did I miss that? -Rick
- [kitten] I-D Action: draft-ietf-kitten-pkinit-fre… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Rick van Rein
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Paul Miller (NT)
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Rick van Rein
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Greg Hudson
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Michiko Short
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Benjamin Kaduk
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Greg Hudson
- Re: [kitten] I-D Action: draft-ietf-kitten-pkinit… Michiko Short