IETF Logo Mail Archive

Re: [kitten] Token Preauth for Kerberos

Benjamin Kaduk <kaduk@MIT.EDU> Wed, 09 July 2014 14:17 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80A7B1A064C for <kitten@ietfa.amsl.com>; Wed, 9 Jul 2014 07:17:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.252
X-Spam-Level:
X-Spam-Status: No, score=-3.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LwNsAXLUVeB7 for <kitten@ietfa.amsl.com>; Wed, 9 Jul 2014 07:17:57 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 327E41A063C for <kitten@ietf.org>; Wed, 9 Jul 2014 07:17:57 -0700 (PDT)
X-AuditID: 12074423-f79bf6d000007580-e0-53bd4f14876e
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id A5.38.30080.41F4DB35; Wed, 9 Jul 2014 10:17:56 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id s69EHtk1003315; Wed, 9 Jul 2014 10:17:55 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s69EHq6a004427 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 9 Jul 2014 10:17:54 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s69EHqvm023075; Wed, 9 Jul 2014 10:17:52 -0400 (EDT)
Date: Wed, 09 Jul 2014 10:17:52 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: "Zheng, Kai" <kai.zheng@intel.com>
In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B666118FB9DE@SHSMSX103.ccr.corp.intel.com>
Message-ID: <alpine.GSO.1.10.1407091016260.21571@multics.mit.edu>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com> <1402609038.22737.57.camel@willson.usersys.redhat.com> <8D5F7E3237B3ED47B84CF187BB17B666118ED023@SHSMSX103.ccr.corp.intel.com> <1402663277.22737.60.camel@willson.usersys.redhat.com> <8D5F7E3237B3ED47B84CF187BB17B666118F09D8@SHSMSX103.ccr.corp.intel.com> <1403009009.22737.129.camel@willson.usersys.redhat.com> <8D5F7E3237B3ED47B84CF187BB17B666118FB475@SHSMSX103.ccr.corp.intel.com> <53BC1D53.6040106@mit.edu> <8D5F7E3237B3ED47B84CF187BB17B666118FB9DE@SHSMSX103.ccr.corp.intel.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixCmqrSvivzfYYPUhfov1radZLI5uXsXi wOSxZMlPJo/Fe14yBTBFcdmkpOZklqUW6dslcGXc/NDOXrCKveLb7K9MDYyfWbsYOTkkBEwk fm+dwghhi0lcuLeeDcQWEpjNJLFtbVIXIxeQvYFRYs+982wQzkEmiekT7zF3MXIAOfUSL78q gTSwCGhJXJx4BmwQm4CKxMw3G8EGiQioSaw/vwtsGbOAl8Tl18tYQGxhAQOJ7ns3wWo4BUIk Tn/YyAxi8wo4Shz4OY0dYtcOFokV1zaDFYkK6Eis3j+FBaJIUOLkzCcsEEMtJc79uc42gVFw FpLULCSpBYxMqxhlU3KrdHMTM3OKU5N1i5MT8/JSi3TN9HIzS/RSU0o3MYICld1FeQfjn4NK hxgFOBiVeHhPcO4JFmJNLCuuzD3EKMnBpCTKW+O5N1iILyk/pTIjsTgjvqg0J7X4EKMEB7OS CK+rM1CONyWxsiq1KB8mJc3BoiTO+9baKlhIID2xJDU7NbUgtQgmK8PBoSTBy+YH1ChYlJqe WpGWmVOCkGbi4AQZzgM0nBukhre4IDG3ODMdIn+KUVFKnPeCL1BCACSRUZoH1wtLJK8YxYFe EeaVBWnnASYhuO5XQIOZgAZbW+wBGVySiJCSamD0mvE4Ke/zwgmMa7/I1p+UmmW1fMaK4q/S vVdubLn8UPY0V5SL0RPLPVl5XvmP+ye6Gm6yFT177VrL/ykHLO/sa+JLyfDQd0j4bS9envds xv29seaXxfoiakrlCjM1Xh7b+try/e2umPdsmktk6itiM/PE/zR/Y+e5F/XKNFhQK3STYPPk 4AYlluKMREMt5qLiRABiHBj1/wIAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/sGbaQ9FB3yVvq1WEXcLZ4Tlac0Q
Cc: "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@MIT.EDU>
Subject: Re: [kitten] Token Preauth for Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 14:17:59 -0000

On Tue, 8 Jul 2014, Zheng, Kai wrote:

> Hi Creg,
>
>> this sounds like creating a container-of-anything within an existing container-of-anything.  That is, if you see something within an AD-TOKEN subcontainer, you don't know anything about what it is, only something about where it came from and how it is encoded.
>
> Hmmm, not exactly as what I mean. It's container-of-exactly-token within 
> the existing container-of-anything (AD-KDC-ISSUED). Looking at AD-TOKEN 
> subcontainer, applications are meant to get a token from it, as AD-TOKEN 
> could be defined as:

AD-TOKEN is a "container of anything" not in the sense of the ASN.1 data 
type, but rather that the JWT token therein could contain any sort of 
information about the user making the request, restrictions placed on the 
token, and so on.  (Almost) any sort of information could be in the 
AD-TOKEN, even if only a single data type is permitted.

-Ben

v2.45.0 | Report a Bug | By Email | System Status