Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
Paul Romero <paulr@rcom-software.com> Mon, 20 February 2023 00:04 UTC
Return-Path: <paulr@rcom-software.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD1B0C14CF18 for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 16:04:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X90r6uiqBr15 for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 16:04:30 -0800 (PST)
Received: from spike.lmi.net (spike.lmi.net [66.117.140.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19808C14CF17 for <kitten@ietf.org>; Sun, 19 Feb 2023 16:04:29 -0800 (PST)
Received: from [192.168.1.157] (99-13-231-12.lightspeed.snjsca.sbcglobal.net [99.13.231.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: paulr@lmi.net) by spike.lmi.net (Postfix) with ESMTPSA id 83EA316006A for <kitten@ietf.org>; Sun, 19 Feb 2023 16:04:29 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------3feMsMZ4BDwlvNwNWiLK0fh8"
Message-ID: <87b6479d-63d7-b31a-d2e2-b7bd6f9a9c65@rcom-software.com>
Date: Sun, 19 Feb 2023 16:04:29 -0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1
To: kitten@ietf.org
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com> <20230219194355.36139173DDE@pb-smtp2.pobox.com> <Y/K2IEhX6c+b05Ye@gmail.com>
Content-Language: en-US
From: Paul Romero <paulr@rcom-software.com>
In-Reply-To: <Y/K2IEhX6c+b05Ye@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/tm4rJI3UlMcVQu8gfhAlq7Nr6k8>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2023 00:04:30 -0000
Hi Nico: I don't agree that SCRAM is obsolete and am curious why you think that is the case. I've used it quite a while and never experienced a security breach. The only problem I have come up against is the configuration of the end to end secret. Best Regards, Paul R. On 2/19/23 15:52, Nico Williams wrote: > On Sun, Feb 19, 2023 at 02:43:54PM -0500, Ken Hornstein wrote: >>> Just throwing it out here, because I sure would love to make it >>> possible (and easier) to use kerberos-backed out on the Web, without >>> all the issues that come with multiple-roundtrips, which are what I >>> find breaks most of these scenarios (the complexity of the protocol >>> itself and the unfamiliarity of any non-password/bearer based auth >>> scheme aside). >> You know, the frustrating thing to me (as a Kerberos fan) is that >> the multiple roundtrips problem isn't a Kerberos problem but more >> related to all of the stuff layered on top of Kerberos (GSS, SPNEGO, >> etc etc). I see how we got here, but I always was a bit skeptical of >> the value-add of all of those layers in practice. > I suspect that Simo is referring to HTTP 401, 200, 401, 200, .. problem. > That can happen with any HTTP authentication scheme, and I've seen that. > The solution is to use cookies. > > GSS-API adds no round trips. SPNEGO only adds a round trip if the > initiator's optimistic choice fails. Kerberos w/o mutual auth needn't > add even one round trip to the application layer protocol (though having > huge tickets doesn't help) provided the application is using the > sub-session keys (i.e., GSS per-message tokens or KRB-PRIV/SAFE). > > The problem with Kerberos is not the round trips. > > The biggest problem with Kerberos is that the world has been moving to > HTTP for everything, and in HTTP land the number of user-agent > implementations is enormous, and most don't support Negotiate. > Credential orchestration needs to be self-service in all deployments, > regardless of whether we're talking about Kerberos or PKI. > > (For this problem I've build an experimental Negotiate-as-a-service.) > > Another problem with Kerberos is credential orchestration -especially > server credentials ("keytabs")- and the need for KDC synchronization. > Just as there's a Let's Encrypt for the web that makes TLS server > credential provisioning much simpler, Kerberos and anything else that > requires server credentials also needs that. Without this feature it's > all just hard to use and scale. > > The lack of a standard "kadmin" protocol for fetching keys (and rotating > them) is a serious interoperability problem that causes integration and > provisioning pain. (Maybe we should propose Heimdal's httpkadmind > protocol?) > > There's also KDC synchronization that can be annoying. > > (For this problem in Heimdal we've build a virtual service principal > namespace feature that derives service keys from the namespace's > keys, the principals' names, and each key rotation epoch.) > > It's not like it's all great with other authentication protocols. > > - JWT lacks a fetch-a-rock protocol (like the TGS protocol). Such a > protocol would have to be dead simple. > > - OIDC requires both, clients _and_ servers to talk to OIDC issuers. > > - OIDC and SAML transport authentication material in URI q-params. > > - Client certificate support coverage is terrible and hard to use from > apps (especially where there's reverse proxy involved), plus the few > apps that support client certs don't have any support for using SANs! > > - DIGEST is obsolete. > > - SCRAM was obsolete the day it was born. > > - PAKEs are not a general purpose solution. > > There are good reasons why Kerberos is still around; the shortcomings of > other systems are among them. But there's been zero work in 30 years on > making Kerberos easy to deploy, orchestrate, and operate. The number of > people who are intimate with the protocol and who have the energy and > funding to tackle these issues is dwindling. That's not a recipe for > success. > > Nico -- Paul Romero ----------- RCOM Communications Software EMAIL:paulr@rcom-software.com PHONE: (510)482-2769
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Greg Hudson
- [kitten] Windows Intent to revive and implement I… Steve Syfuhs (AP)
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Greg Hudson
- Re: [kitten] Windows Intent to revive and impleme… josh.howlett
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Replacing Kerberos (Re: Windows Intent t… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Ken Hornstein
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Paul Romero
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Luke Howard
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Andrew Bartlett
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Updates to IAKERB (Re: Windows Intent to… Nico Williams
- Re: [kitten] Updates to IAKERB (Re: Windows Inten… Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos D.Rogers
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Watson Ladd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Simo Sorce