IETF Logo Mail Archive

Re: [kitten] WGLC on draft-ietf-krb-wg-cammac-08

"Zheng, Kai" <kai.zheng@intel.com> Mon, 04 August 2014 13:57 UTC

Return-Path: <kai.zheng@intel.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8852B1B2B05 for <kitten@ietfa.amsl.com>; Mon, 4 Aug 2014 06:57:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cxx_E607kWqU for <kitten@ietfa.amsl.com>; Mon, 4 Aug 2014 06:57:30 -0700 (PDT)
Received: from mga03.intel.com (mga03.intel.com [143.182.124.21]) by ietfa.amsl.com (Postfix) with ESMTP id 361411B2B01 for <kitten@ietf.org>; Mon, 4 Aug 2014 06:57:30 -0700 (PDT)
Received: from azsmga001.ch.intel.com ([10.2.17.19]) by azsmga101.ch.intel.com with ESMTP; 04 Aug 2014 06:57:29 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.01,798,1400050800"; d="scan'208";a="464728467"
Received: from fmsmsx106.amr.corp.intel.com ([10.19.9.37]) by azsmga001.ch.intel.com with ESMTP; 04 Aug 2014 06:57:28 -0700
Received: from fmsmsx154.amr.corp.intel.com (10.18.116.70) by FMSMSX106.amr.corp.intel.com (10.19.9.37) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 4 Aug 2014 06:57:28 -0700
Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by FMSMSX154.amr.corp.intel.com (10.18.116.70) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 4 Aug 2014 06:57:28 -0700
Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.75]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.97]) with mapi id 14.03.0195.001; Mon, 4 Aug 2014 21:57:20 +0800
From: "Zheng, Kai" <kai.zheng@intel.com>
To: Tom Yu <tlyu@MIT.EDU>
Thread-Topic: [kitten] WGLC on draft-ietf-krb-wg-cammac-08
Thread-Index: AQHPrbyzdGP0t8sy2UWah8ekcxJ/1ZvAfBww
Date: Mon, 04 Aug 2014 13:57:20 +0000
Message-ID: <8D5F7E3237B3ED47B84CF187BB17B6661193B4ED@SHSMSX103.ccr.corp.intel.com>
References: <53799133.70201@oracle.com> <53BB8362.3010605@oracle.com> <8D5F7E3237B3ED47B84CF187BB17B666118FB2BB@SHSMSX103.ccr.corp.intel.com> <ldv7g2sqazs.fsf@sarnath.mit.edu>
In-Reply-To: <ldv7g2sqazs.fsf@sarnath.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.239.127.40]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/tLDcXUnHr6BVswz9rvslPchlrbk
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] WGLC on draft-ietf-krb-wg-cammac-08
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2014 13:57:31 -0000

Hi Tom,

Yes it looks better. Thanks for your response!

Regards,
Kai

-----Original Message-----
From: Tom Yu [mailto:tlyu@MIT.EDU] 
Sent: Saturday, August 02, 2014 3:13 AM
To: Zheng, Kai
Cc: Shawn M Emery; kitten@ietf.org
Subject: Re: [kitten] WGLC on draft-ietf-krb-wg-cammac-08

"Zheng, Kai" <kai.zheng@intel.com> writes:

> Regarding the following:
> ===
> However, protocol extensions such as Constrained Delegation (S4U2Proxy
>    [MS-SFU]) require that a service present to the KDC a service ticket
>    that the service received from a client, as evidence that the client
>    authenticated to the service.  In the S4U2Proxy extension, the KDC
>    uses the evidence ticket as the basis for issuing a derivative ticket
>    that the service can then use to impersonate the client.
> ===

[...]

> This forwardable service ticket might have been obtained by a 
> KRB_AP_REQ and come from the user client (the case mentioned here), or 
> by an S4U2self request (ignored here).

Hi Kai,

Thanks for your comment.  I can see how apparently ignoring tickets obtained from S4U2Self could be distracting or confusing to a reader.
Would the following text be better?

   However, protocol extensions such as Constrained Delegation
   (S4U2Proxy [MS-SFU]) require that a service present to the KDC a
   service ticket that the KDC previously issued, as evidence that the
   service is authorized to impersonate the client principal named in
   that ticket.  In the S4U2Proxy extension, the KDC uses the evidence
   ticket as the basis for issuing a derivative ticket that the service
   can then use to impersonate the client.

v2.23.0 | Report a Bug | By Email