Re: [kitten] Kerberos Service Discovery using DNS
Rick van Rein <rick@openfortress.nl> Tue, 10 March 2015 21:27 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0C091A8A20 for <kitten@ietfa.amsl.com>; Tue, 10 Mar 2015 14:27:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Level:
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P0ncxTv96NTa for <kitten@ietfa.amsl.com>; Tue, 10 Mar 2015 14:27:07 -0700 (PDT)
Received: from lb2-smtp-cloud6.xs4all.net (lb2-smtp-cloud6.xs4all.net [194.109.24.28]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DF471A00F1 for <kitten@ietf.org>; Tue, 10 Mar 2015 14:27:07 -0700 (PDT)
Received: from [10.0.1.225] ([83.161.146.46]) by smtp-cloud6.xs4all.net with ESMTP id 1xT31q00B10HQrX01xT5LQ; Tue, 10 Mar 2015 22:27:05 +0100
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: text/plain; charset="us-ascii"
From: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <1425578271.2715.5.camel@redhat.com>
Date: Tue, 10 Mar 2015 22:27:03 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <2CB0CE49-2109-4666-9FFA-33538244E84E@openfortress.nl>
References: <1425578271.2715.5.camel@redhat.com>
To: Nathaniel McCallum <npmccallum@redhat.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/tibVRDcpU7MEKqWO9aToslnxpg0>
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos Service Discovery using DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 21:27:10 -0000
Hello Nathaniel, > I have uploaded a new draft: > http://datatracker.ietf.org/doc/draft-mccallum-kitten-krb-service-discovery/ Please consider deprecating the SRV-based procedure; without deprecation, implementatations are pretty much convicted to implementing both mechanisms forevermore, which is silly from both KISS and security viewpoints. Please specify the implications for naming in certificates, such as for PKINIT. Please do not overlool SCTP; it has the reliability and size-scalability of TCP but the speed and ordering advantages of UDP. Even when Kerberos does not currently use SCTP, it may need to in future updates, possibly to handle large key sizes during PKINIT. I hope this is helpful. Cheers, -Rick
- Re: [kitten] Kerberos Service Discovery using DNS Petr Spacek
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Greg Hudson
- Re: [kitten] Kerberos Service Discovery using DNS Petr Spacek
- [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Greg Hudson
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Simo Sorce
- Re: [kitten] Kerberos Service Discovery using DNS Nico Williams
- Re: [kitten] Kerberos Service Discovery using DNS Rick van Rein
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Rick van Rein
- Re: [kitten] Kerberos Service Discovery using DNS Greg Hudson
- Re: [kitten] Kerberos Service Discovery using DNS Rick van Rein
- Re: [kitten] Kerberos Service Discovery using DNS Viktor Dukhovni
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Benjamin Kaduk
- Re: [kitten] Kerberos Service Discovery using DNS Benjamin Kaduk
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Greg Hudson
- Re: [kitten] Kerberos Service Discovery using DNS Benjamin Kaduk
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Jeffrey Altman