IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Wed, 22 February 2023 00:53 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36961C16950A for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 16:53:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kwC87JnqDadQ for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 16:53:41 -0800 (PST)
Received: from iguana.tulip.relay.mailchannels.net (iguana.tulip.relay.mailchannels.net [23.83.218.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 361F8C151542 for <kitten@ietf.org>; Tue, 21 Feb 2023 16:53:39 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id DEC4264186B; Wed, 22 Feb 2023 00:53:35 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 4F4806414CA; Wed, 22 Feb 2023 00:53:35 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1677027215; a=rsa-sha256; cv=none; b=MyB0+sFfg1K449V/qzCXSzksQo0KMe/eNDIpKRvtYQmx8fMbJsXt/cYmC4sNGWu0ehhznF 3WspOvoVQF5r/xzb6flwpgan4Bt3zuZRGTZcf/IxE32Y+B9f40fwEvasXpU/eDXxGBsucb VGGKUqQXVZlli4UPsG8QdGaiaPHSaHks0V2YYfrnek7SDzGTmZhoE1aIxwi5z1b8Vz7toO nVIdwSdRNLwFzhvpA673VEEvscUSvHl40/XzAMht22y/n5oZ/Pihm/q0JH/DLnSMVXXULk Xx6SxHpOKrq+WHF9sjNvNnnQvESGTPY583giUfOln6IEelIgGFe9PPHpowPqFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1677027215; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=KOLmGPv7ogZvpTdQZYsg7MXSJ6QnlEM4HWyaxHW5q/g=; b=Pv7Cskv6hYOjV53Iwnl8fAcLqx6sTeZLkYshDpeHpDKWh7cA6FC/umQOL0mn00ldbJJClH npTCs1s1xrWoXHh+e1+vONZyC0ArWINWdOH05v/9eisi8G6mTHPgmmee7VGa5Faj8KDOEI R7vdeLvS0UmKmy0gJhcxzBCHdvmC/eeTfrowMrTDqa6s7QQK6BfDgKG2v51mJJUnH7SDTC 2yBPQEKNJHVsntHJ5DvXY+wQTpTnkRvVFKfwQ2ect/wzeWVMpt3fx2j2ll5YjiOXF+aQoK wJ82Yn3eDrPuGZdmdlzD5FhVKpas2FuaUKw7e3AOyyJe5wF8b6yfW7O6YjU4gA==
ARC-Authentication-Results: i=1; rspamd-5db48964c-6rpcd; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Shelf-Reaction: 7a74320153297304_1677027215613_1200629140
X-MC-Loop-Signature: 1677027215613:880540853
X-MC-Ingress-Time: 1677027215613
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.107.134.126 (trex/6.7.1); Wed, 22 Feb 2023 00:53:35 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PLyML4XRTzBR; Tue, 21 Feb 2023 16:53:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1677027215; bh=KOLmGPv7ogZvpTdQZYsg7MXSJ6QnlEM4HWyaxHW5q/g=; h=Date:From:To:Cc:Subject:Content-Type; b=mw7fRFxdJszrLILRU29aADfVPahgLTdv+RZE0Btzve/yzDH+biH90kpJJQkcmqxW2 23VpkwC1PrI5VBtd0jns96AEQ+kmCGFv4k9v92kec/jaFnz2mZemB39ViTczS8+hX2 HuhISYA+6jr5eTZbP2yEsiF55/sEYH0dyz7P+mmHqQGCWnBPYQtKUB4QHsCYOsvGEv 2ZJuV4dI8l1bxTluYzQi1BNUOBvyzlB4jvrDqwD5byP5+EOwGpRCPc8Dl2l40QTJwN oHk7IXfltO4BWYoiVUb9dTAtKGL9xl0lTpRYFzF3rUyxZZemcFSiBf7myfR1hfo+DP f/4JOns9d/Qpg==
Date: Tue, 21 Feb 2023 18:53:32 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
Cc: Luke Howard Bentata <lukeh@padl.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/VnjL/IBYXFWkYX@gmail.com>
References: <Y/K2IEhX6c+b05Ye@gmail.com> <Y/QT7BxdTHq0RYTz@gmail.com> <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com> <Y/Q7hdTOF1HaxQKM@gmail.com> <Y/RFX4XywCAlhCeB@gmail.com> <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com> <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/UMA7xZYpOAWK4N@gmail.com> <MW4PR21MB19700BA2F20F8CC779F72CD39CA59@MW4PR21MB1970.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MW4PR21MB19700BA2F20F8CC779F72CD39CA59@MW4PR21MB1970.namprd21.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/srboOgox4EC1Ge1RGJ8aNVrQ2rA>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2023 00:53:45 -0000

On Tue, Feb 21, 2023 at 11:15:40PM +0000, Steve Syfuhs (AP) wrote:
> Key history does exist. We use N-1 key detection to trigger a TGS
> renew (krb-error REP with err-modified [or err-expired?]). We will not
> verify any ticket encrypted to the non-current key. That's nothing
> special with (g)MSAs though. For gMSAs we always know when the key
> needs to rotate irrespective of any sync so we don't strictly care
> about N-1.

But for cross-realm krbtgt key/password changes you really need to be
able to accept the previous key for some time!  Without that you'll have
failures that look like outages.

As for non-krbtgts, can the gMSA password retrieval protocol retrieve
the previous password when it's still needed to decrypt extant tickets?

v2.23.0 | Report a Bug | By Email