Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt
Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 18 September 2015 15:32 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FA651B2E25 for <kitten@ietfa.amsl.com>; Fri, 18 Sep 2015 08:32:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TcTLsXUrYwa5 for <kitten@ietfa.amsl.com>; Fri, 18 Sep 2015 08:32:22 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F192D1B2E39 for <kitten@ietf.org>; Fri, 18 Sep 2015 08:32:20 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id C362628495F; Fri, 18 Sep 2015 15:32:19 +0000 (UTC)
Date: Fri, 18 Sep 2015 15:32:19 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: kitten@ietf.org
Message-ID: <20150918153219.GP21942@mournblade.imrryr.org>
References: <20150915143628.21162.89108.idtracker@ietfa.amsl.com> <55F82DA5.10504@openfortress.nl> <alpine.GSO.1.10.1509172254390.26829@multics.mit.edu> <55FBF0C8.6090904@openfortress.nl> <20150918140247.GB13294@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150918140247.GB13294@localhost>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/vDJEGuHixKlkvevyr_Ir7kvdQtU>
Subject: Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: kitten@ietf.org
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2015 15:32:27 -0000
On Fri, Sep 18, 2015 at 09:02:48AM -0500, Nico Williams wrote:
> I'm very reluctant to agree to that, but I'd agree to saying that a TGS
> client should first try the realm as it appears in the PTR RR and then
> as up-cased if the first failed.
What does it mean to "try the realm"?
* If it is a case variant of the local realm, just use the local realm.
* If it is a case variant of a realm for which you already have
cross-realm TGT or a service ticket for the desired service,
use that.
* If capaths are configured, for a case-variant of the realm,
use that.
* Otherwise, referrals with the KDC locating a suitable next
realm based on capaths or a direct "trust" relationship.
The only time that determining the canonical form of the remote
realm becomes plausibly difficult, is when trust is constructed on
the fly via public keys in DNSSEC. When such a protocol is designed,
the canonical realm suffix can be communicated as part of the
authenticated cross-realm key exchange.
So I don't see any need for "guessing" the realm name, rather all
that's required is that KDCs be able to locate cross-realm keys in
a "case-insensitive" manner (more precisely, if two realm names
represent the same valid DNS name, then each matches the other)
and that clients accept KDC responses in which the KDC has
canonicalized the requested realm name.
> The only thing that concerns me is how to canonicalize realm names for
> name-based authorization. This is the case where an AS client used an
> alias realm name and now cannot get authorized to access some resources.
I don't expect that AS clients will be getting the realm name for
"kinit" from DNS. If you want to "kinit" to a realm other than
the realm of the local host, I expect you need to know its name.
In any case the realm is (generally) part of the salt in string-to-key,
so it would seem that AS is not possible with a variant realm.
--
Viktor.
- [kitten] Fwd: New Version Notification for draft-… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Benjamin Kaduk
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Nico Williams
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson
- Re: [kitten] Fwd: New Version Notification for dr… Viktor Dukhovni
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Rick van Rein
- Re: [kitten] Fwd: New Version Notification for dr… Greg Hudson