Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
Nico Williams <nico@cryptonector.com> Sun, 19 February 2023 23:52 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41C27C14EB17 for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 15:52:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wWjgbYg5IDig for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 15:52:05 -0800 (PST)
Received: from butterfly.birch.relay.mailchannels.net (butterfly.birch.relay.mailchannels.net [23.83.209.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6288C14CEFF for <kitten@ietf.org>; Sun, 19 Feb 2023 15:52:04 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 076553E1507; Sun, 19 Feb 2023 23:52:04 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 94F1E3E144A; Sun, 19 Feb 2023 23:52:03 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1676850723; a=rsa-sha256; cv=none; b=bD6SmFKY906rDf6GZjasL+imXYE1GLXxywJoTn7mBSFXzZKJSEDDj7JZrk7lpsO1I2ixNv +5H9CNAQ18fYT4remuiAuJ3ryHAuZop947Wyk5FY4ULnqX54IeiTJizxhNLXWSWHCbG/Tj vWtCvcwUneBAVaf+fh1RFQsBslD89YGw3NAedFbAkjJTY56CzngHq+NT+KnpWIvYlsR2m+ V4ezo4fFhqhOQB06hLtGcRnFNdGNDFUI+ks75hW3YRUo+YrKz3dxH9anZ9ZLsA/79GMBns /E6a1MyUdah8bCZ+P1d9qyX8z81aUYs/Q2XkM3rEnSUcBTPEXJdeuTbtS2hSog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1676850723; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=A0BqUPU3giQmN1JtzhFlxPcNQ+hp4HlIiu3NkZ22NDs=; b=FtdTdprvwiIAU6of53o3qOB3xA49nyNm66X0zKNPrpnC6QpHbeEczLQ32U396YGJ7pjd6l 8V7A3JfXYKQYhdxLhiz67dKEDdHA5VJHq3w+4e89EWk+uZ8owYH22XClveKxEfbEoJDtN9 W0zOWGlA971RhdVNuHJCYcu+ewiGzPyKrZPK/ofazQcny0Vy1SMqcRIj/J4WD3WHfzWUZr 497xILTqIx35maiqWL85k/SnxulvUDF3/gjzoqMn4BNZ/BM6zSYWhNuaXzOp6Xr7s/R72j 1a7lpu8NgvD3YFWmdxvXinpx5dzfUdcsI36wQkMb9Pe5J7orCQY7hBbl5/l1jQ==
ARC-Authentication-Results: i=1; rspamd-9788b98bc-bsr98; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Cold-Spicy: 612e450100cf6c8c_1676850723859_3936922860
X-MC-Loop-Signature: 1676850723859:572530817
X-MC-Ingress-Time: 1676850723859
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.97.74.37 (trex/6.7.1); Sun, 19 Feb 2023 23:52:03 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PKj5G6cG6z8J; Sun, 19 Feb 2023 15:52:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1676850723; bh=A0BqUPU3giQmN1JtzhFlxPcNQ+hp4HlIiu3NkZ22NDs=; h=Date:From:To:Cc:Subject:Content-Type; b=ZpBO4MZwvDqG/SqFSAbJqOuycw4jVMevMpcC1ULe15w4F2MFKsAanKeNlnc34byZv oAWk60xRK0yUX1ANiCorrLS0J3VqCsE6V9pFNyutUSePqBELHRCPj+BsPTHRPFR7Ct 6pIQJeatpFrZk8/tdG54eDWKSoxqKsAHGQTWU3p/B/Yq+a8l9DV/VHWIHrkXgD5m4A 5SqmjioOIBJch4WImQYd6AeGXd/AnLddtbd8hUKEt+VLLzWzus9cVnt7LFhnER4BYT x+2+3POFbMk0T1h72L8sKYtHdJ2zM74/tFyLQLVsrwpEON0ayM4Y11nGsSKCPZcffP LVhcqiHzttGGg==
Date: Sun, 19 Feb 2023 17:52:00 -0600
From: Nico Williams <nico@cryptonector.com>
To: Ken Hornstein <kenh@pobox.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/K2IEhX6c+b05Ye@gmail.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com> <20230219194355.36139173DDE@pb-smtp2.pobox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20230219194355.36139173DDE@pb-smtp2.pobox.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/qqNCzisG6W9KlW77X5GL5Ga2ytw>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Feb 2023 23:52:10 -0000
On Sun, Feb 19, 2023 at 02:43:54PM -0500, Ken Hornstein wrote: > >Just throwing it out here, because I sure would love to make it > >possible (and easier) to use kerberos-backed out on the Web, without > >all the issues that come with multiple-roundtrips, which are what I > >find breaks most of these scenarios (the complexity of the protocol > >itself and the unfamiliarity of any non-password/bearer based auth > >scheme aside). > > You know, the frustrating thing to me (as a Kerberos fan) is that > the multiple roundtrips problem isn't a Kerberos problem but more > related to all of the stuff layered on top of Kerberos (GSS, SPNEGO, > etc etc). I see how we got here, but I always was a bit skeptical of > the value-add of all of those layers in practice. I suspect that Simo is referring to HTTP 401, 200, 401, 200, .. problem. That can happen with any HTTP authentication scheme, and I've seen that. The solution is to use cookies. GSS-API adds no round trips. SPNEGO only adds a round trip if the initiator's optimistic choice fails. Kerberos w/o mutual auth needn't add even one round trip to the application layer protocol (though having huge tickets doesn't help) provided the application is using the sub-session keys (i.e., GSS per-message tokens or KRB-PRIV/SAFE). The problem with Kerberos is not the round trips. The biggest problem with Kerberos is that the world has been moving to HTTP for everything, and in HTTP land the number of user-agent implementations is enormous, and most don't support Negotiate. Credential orchestration needs to be self-service in all deployments, regardless of whether we're talking about Kerberos or PKI. (For this problem I've build an experimental Negotiate-as-a-service.) Another problem with Kerberos is credential orchestration -especially server credentials ("keytabs")- and the need for KDC synchronization. Just as there's a Let's Encrypt for the web that makes TLS server credential provisioning much simpler, Kerberos and anything else that requires server credentials also needs that. Without this feature it's all just hard to use and scale. The lack of a standard "kadmin" protocol for fetching keys (and rotating them) is a serious interoperability problem that causes integration and provisioning pain. (Maybe we should propose Heimdal's httpkadmind protocol?) There's also KDC synchronization that can be annoying. (For this problem in Heimdal we've build a virtual service principal namespace feature that derives service keys from the namespace's keys, the principals' names, and each key rotation epoch.) It's not like it's all great with other authentication protocols. - JWT lacks a fetch-a-rock protocol (like the TGS protocol). Such a protocol would have to be dead simple. - OIDC requires both, clients _and_ servers to talk to OIDC issuers. - OIDC and SAML transport authentication material in URI q-params. - Client certificate support coverage is terrible and hard to use from apps (especially where there's reverse proxy involved), plus the few apps that support client certs don't have any support for using SANs! - DIGEST is obsolete. - SCRAM was obsolete the day it was born. - PAKEs are not a general purpose solution. There are good reasons why Kerberos is still around; the shortcomings of other systems are among them. But there's been zero work in 30 years on making Kerberos easy to deploy, orchestrate, and operate. The number of people who are intimate with the protocol and who have the energy and funding to tackle these issues is dwindling. That's not a recipe for success. Nico --
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Greg Hudson
- [kitten] Windows Intent to revive and implement I… Steve Syfuhs (AP)
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Greg Hudson
- Re: [kitten] Windows Intent to revive and impleme… josh.howlett
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Replacing Kerberos (Re: Windows Intent t… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Ken Hornstein
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Paul Romero
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Luke Howard
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Andrew Bartlett
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Updates to IAKERB (Re: Windows Intent to… Nico Williams
- Re: [kitten] Updates to IAKERB (Re: Windows Inten… Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos D.Rogers
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Watson Ladd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Simo Sorce