Re: [kitten] Comments on draft-ietf-kitten-iakerb-01
Greg Hudson <ghudson@MIT.EDU> Sun, 16 February 2014 19:39 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 135671A0275 for <kitten@ietfa.amsl.com>; Sun, 16 Feb 2014 11:39:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.149
X-Spam-Level:
X-Spam-Status: No, score=-3.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IfbWYzemMUc1 for <kitten@ietfa.amsl.com>; Sun, 16 Feb 2014 11:39:56 -0800 (PST)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) by ietfa.amsl.com (Postfix) with ESMTP id 2E7C01A0262 for <kitten@ietf.org>; Sun, 16 Feb 2014 11:39:56 -0800 (PST)
X-AuditID: 12074424-f79e26d000000c70-eb-5301140963c5
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id E6.BC.03184.90411035; Sun, 16 Feb 2014 14:39:53 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id s1GJdruW002486 for <kitten@ietf.org>; Sun, 16 Feb 2014 14:39:53 -0500
Received: from [18.101.8.142] (vpn-18-101-8-142.mit.edu [18.101.8.142]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s1GJdo7D026954 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <kitten@ietf.org>; Sun, 16 Feb 2014 14:39:52 -0500
Message-ID: <53011405.4050904@mit.edu>
Date: Sun, 16 Feb 2014 14:39:49 -0500
From: Greg Hudson <ghudson@MIT.EDU>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: kitten@ietf.org
References: <x7deh332d59.fsf@equal-rites.mit.edu>
In-Reply-To: <x7deh332d59.fsf@equal-rites.mit.edu>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrHIsWRmVeSWpSXmKPExsUixG6nosspwhhsMH+xocXRzatYHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVcezEFsaCZ5wVzbN2sTUwvmbvYuTkkBAwkbj1ezcbhC0mceHe ejBbSGA2k8TjNuYuRi4g+zijRMfPHUwQzi0miVfPTjCCVPEKqEk8mP+MCcRmEVCVePHhCzOI zSagLHHw7DcWEFtUIEzi7v+1UPWCEidnPgGLiwgIS+ze+g6sXljAVmLJho1MEJsNJZ7OvANW wylgJPH22l+oSyUlti06BmYzC+hIvOt7wAxhy0tsfzuHeQKj4CwkK2YhKZuFpGwBI/MqRtmU 3Crd3MTMnOLUZN3i5MS8vNQiXXO93MwSvdSU0k2M4GB1UdnB2HxI6RCjAAejEg9vwuP/QUKs iWXFlbmHGCU5mJREeauFGIOF+JLyUyozEosz4otKc1KLDzFKcDArifAuZQTK8aYkVlalFuXD pKQ5WJTEeWstfgUJCaQnlqRmp6YWpBbBZGU4OJQkeJmFgRoFi1LTUyvSMnNKENJMHJwgw3mA huuA1PAWFyTmFmemQ+RPMSpKifN+FQRKCIAkMkrz4HphyeQVozjQK8K8uiDtPMBEBNf9Cmgw E9DgVaf/BgENLklESEk1MM5kczg+c0LilztX7m348WWmj5/4dQv9z32+fz5mLn6Y5b36Np+s 8SfBk+rF8xleMnziE9j2ONzh+fdNalYxU72UGswqujomzl+4+WHz03unc/4d3Jh9YuuGl0/+ 6ebt+Hjva8TF2tVruLbNyWW4ePyOkPuqWalCDb1Cn9bzrdgitel2oItkbvIaJZbijERDLeai 4kQAdYrkTQEDAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/uwCae1EvZVIL__DxkV3Be3FMhYs
Subject: Re: [kitten] Comments on draft-ietf-kitten-iakerb-01
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Feb 2014 19:39:58 -0000
On 02/16/2014 12:14 PM, Greg Hudson wrote: > This doesn't provide useful advice for interoperating with an MIT > initiator, as a standard acceptor will always frame the response token. > I suggest: > > Acceptors behave as follows: > > o If the AP-REQ authenticator contains an extension of type 1 > containing a KRB-FINISHED message, then process the extension as if > it were of type GSS_EXTS_FINISHED, except with a key usage of > KEY_USAGE_IAKERB_FINISHED (42) instead of KEY_USAGE_FINISHED (41). I missed a necessary bullet point here. Before the AP-REQ bullet point, I suggest: o After the first initiator token, allow initiator tokens to omit generic token framing. This allowance is required only for IAKERB_PROXY messages (those using token ID 05 01), not for tokens defined in [RFC4121]. It might also be worthwhile to say that, for the purpose of computing the KRB-FINISHED checksum, initiators and acceptors should both use the tokens they sent or received without modification--that is, don't insert synthetic generic token framing or modify the token to have the standardized extension type. But I don't have suggested wording, and it should be fairly obvious even if we don't say it.
- [kitten] Comments on draft-ietf-kitten-iakerb-01 Greg Hudson
- Re: [kitten] Comments on draft-ietf-kitten-iakerb… Greg Hudson
- Re: [kitten] Comments on draft-ietf-kitten-iakerb… Benjamin Kaduk