Re: [kitten] Authentication Indicator in Kerberos tickets
Benjamin Kaduk <kaduk@MIT.EDU> Fri, 03 October 2014 15:20 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F23CF1A0120 for <kitten@ietfa.amsl.com>; Fri, 3 Oct 2014 08:20:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.987
X-Spam-Level:
X-Spam-Status: No, score=-4.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uKLDec_rCEfg for <kitten@ietfa.amsl.com>; Fri, 3 Oct 2014 08:20:54 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 598AF1A0222 for <kitten@ietf.org>; Fri, 3 Oct 2014 08:20:54 -0700 (PDT)
X-AuditID: 1209190c-f795e6d000006c66-a6-542ebed46cf1
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 97.89.27750.4DEBE245; Fri, 3 Oct 2014 11:20:53 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id s93FKqHc030029; Fri, 3 Oct 2014 11:20:52 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s93FKowq015166 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 3 Oct 2014 11:20:51 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s93FKnum009265; Fri, 3 Oct 2014 11:20:49 -0400 (EDT)
Date: Fri, 03 Oct 2014 11:20:49 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Nathaniel McCallum <npmccallum@redhat.com>
In-Reply-To: <1409243818.9966.3.camel@redhat.com>
Message-ID: <alpine.GSO.1.10.1410031104281.27826@multics.mit.edu>
References: <1409243818.9966.3.camel@redhat.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixG6nont1n16Iwe9/jBZHN69isZj7dRar A5PHkiU/mTze77vKFsAUxWWTkpqTWZZapG+XwJVx/NsZ9oLHohU/ulwaGK8JdjFyckgImEhs ubaUDcIWk7hwbz2QzcUhJDCbSWLi7dnMEM4GRonb619BOQeZJBrnNLOCtAgJ1EtsX74FrJ1F QEti99vjzCA2m4CKxMw3G8HiIgJ6Esv2TWAEsZkFhCXWn5sBViMs4CQxc8ktsBpOAUOJ9y8O soPYvAKOEq07DzF1MXIAzTeQePtDGiQsKqAjsXr/FBaIEkGJkzOfsECM1JJYPn0bywRGwVlI UrOQpBYwMq1ilE3JrdLNTczMKU5N1i1OTszLSy3SNdTLzSzRS00p3cQIClNOSZ4djG8OKh1i FOBgVOLh/XBDN0SINbGsuDL3EKMkB5OSKC/3Nr0QIb6k/JTKjMTijPii0pzU4kOMEhzMSiK8 C1YC5XhTEiurUovyYVLSHCxK4rybfvCFCAmkJ5akZqemFqQWwWRlODiUJHg/7gFqFCxKTU+t SMvMKUFIM3FwggznARouuQ9keHFBYm5xZjpE/hSjopQ47+m9QAkBkERGaR5cLyyNvGIUB3pF mPcBSBUPMAXBdb8CGswENPidvS7I4JJEhJRUA+O0eToHe+xXnljHo3mLob34DetspqWRnpNF CkyKY7bbLJlT+ZszVY6NO0fyw43625M7maTCEu5EHpFdq/Zb71iAxd4pbm4hE/a3/J3MqhZy cktk5t4fa9jOPVU2c+qf9TbXZf/CFxKTHnp47fyy+CrnEr/pfOYVTTvXtMdYfLz7496htGsR Ke5KLMUZiYZazEXFiQAjFyhh/gIAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/ubMT-It_m7yOUbm3aV7RR5_ZO8A
Cc: kitten@ietf.org
Subject: Re: [kitten] Authentication Indicator in Kerberos tickets
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Oct 2014 15:20:59 -0000
Hi Nathaniel, On Thu, 28 Aug 2014, Nathaniel McCallum wrote: > The purpose of Authentication Indicators is to be able to assert some > positive attributes about the authentication event itself in the ticket. > This should also be usable in the case of S4U2Proxy. > > The draft can be found here: > http://www.ietf.org/id/draft-jain-kitten-krb-auth-indicator-01.txt I think we've seen sufficient interest to justify adopting this as a working group document. Please submit the next revision as draft-ietf-kitten-krb-auth-indicator-00 so that the chairs can approve it as a WG document. As an individual, I have some comments about the text. I think that the name of the authorization data type should have an AD- prefix, that is, be AD-AUTHENTICATION-INDICATOR. In section 3, the ad-data field contains the DER encoding of the ASN.1 type whose definition follows, not the "AD type". This document is not the place to make normative statements about the AD-CAMMAC. So, the last paragraph of section 3 should not say that the AD-CAMMAC element MAY be safely ignored. Similarly, the CAMMAC document already has a mechanism for binding the CAMMAC to the enclosing ticket in the definition of the kdc-verifier. If this document needs to say anything about such a binding, it should probably just say that the KDC MUST include a kdc-verifier in the containing CAMMAC, to provide a binding to the enclosing ticket. The document lists RFCs 4120 and 4121 in the references sections, but does not make citations to those references at any point in the main text. I am not sure that 4121 is necessary unless there is a desire to add, e.g., a GSS name attribute by which the authentication indicator may be accessed. For 4120, on the other hand, I think this document should Update: 4120, and mention that in the abstract and introduction at least. After the definition of the ASN.1 type AUTHENTICATION-INDICATOR, you have "These values are short strings[...]". In specification documents like this, it's usually best to avoid generic pronouns like "these" and include concrete bindings, as in "These UTF8String values are[...]". Also, the ASN.1 definition does not include the EXPLICIT TAGS and similar boilerplate usually found when declaring Kerberos ASN.1 modules. That should be present unless we are trying to stuff this into an existing module (in which case that should be stated). In the abstract, I think it may be worth replacing "indicator of the client's authentication strength" with "indicator of the strengh of the client's authentication". There are a few grammar nits (missing "the"s, mostly). I can point them out out-of-band if you don't want to duplicate time looking for them. Thanks, Ben
- [kitten] Authentication Indicator in Kerberos tic… Nathaniel McCallum
- Re: [kitten] Authentication Indicator in Kerberos… Greg Hudson
- Re: [kitten] Authentication Indicator in Kerberos… Benjamin Kaduk
- Re: [kitten] Authentication Indicator in Kerberos… Richard Feezel
- Re: [kitten] Authentication Indicator in Kerberos… Benjamin Kaduk
- Re: [kitten] Authentication Indicator in Kerberos… Richard Feezel
- Re: [kitten] Authentication Indicator in Kerberos… Benjamin Kaduk
- Re: [kitten] Authentication Indicator in Kerberos… Tom Yu
- Re: [kitten] Authentication Indicator in Kerberos… Nico Williams
- Re: [kitten] Authentication Indicator in Kerberos… Simo Sorce
- Re: [kitten] Authentication Indicator in Kerberos… Jeffrey Altman
- Re: [kitten] Authentication Indicator in Kerberos… Benjamin Kaduk