Re: [kitten] ID-Action: draft-williams-kitten-krb5-pkcross-01
Benjamin Kaduk <kaduk@mit.edu> Fri, 09 August 2013 18:16 UTC
Return-Path: <kaduk@MIT.EDU>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2965D11E8149 for <kitten@ietfa.amsl.com>; Fri, 9 Aug 2013 11:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.053
X-Spam-Level:
X-Spam-Status: No, score=-3.053 tagged_above=-999 required=5 tests=[AWL=-0.454, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RUyM+AhfC+CZ for <kitten@ietfa.amsl.com>; Fri, 9 Aug 2013 11:16:26 -0700 (PDT)
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) by ietfa.amsl.com (Postfix) with ESMTP id 50C4D11E8133 for <kitten@ietf.org>; Fri, 9 Aug 2013 11:10:57 -0700 (PDT)
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id r79I357t006971; Fri, 9 Aug 2013 14:03:05 -0400 (EDT)
Date: Fri, 09 Aug 2013 14:03:04 -0400
From: Benjamin Kaduk <kaduk@mit.edu>
To: kitten@ietf.org
In-Reply-To: <alpine.GSO.1.10.1308091323410.24720@multics.mit.edu>
Message-ID: <alpine.GSO.1.10.1308091402330.24720@multics.mit.edu>
References: <alpine.GSO.1.10.1308091323410.24720@multics.mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Subject: Re: [kitten] ID-Action: draft-williams-kitten-krb5-pkcross-01
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2013 18:16:32 -0000
Forgot to note: you cite draft-hotz-kx509-06, but it is RFC 6717, now. On Fri, 9 Aug 2013, Benjamin Kaduk wrote: > [again no in-reply-to, sorry] > > I've looked over this document, though I did not do a full-depth review of > it. > > The scheme is intellectually appealing, or at least amusing, and on paper it > seems to help with the issues related to cross-realm trusts. I just can't > shake the feeling that it won't be adopted in the real world, though, and I'm > not sure why. This makes me reluctant to spend much time trying to move it > forward without some indication that it would gain traction. > > Another reason for reluctance is that the propsal wants one of the > relatively-scarce KDCOptions flag bits. > > It looks like USE-SESSION-KEY-AS-REALM-KEY will only do one direction of > trust (at a time)? So a bidirectional trust would still require initiation > from both sides (as it should). It might be worth mentioning that > explicitly, even though it follows directly from the directions of trust > having different principal names. > > In section 2.1, I don't really understand the motivation for (d). > > Section 3 makes me wonder if there is some discussion to be had about the KDC > allowing/disallowing itself of making signatures of users' PKCROSS > certificates when there does exist a symmetric key between the realms. That > is, allowing new certs to be signed would preserve the privacy property, but > requires more work (?) and reduces auditability. > > In section 4, there might be something to be said about setting > TRANSITED-POLICY-CHECKED for a cached/post-LoF trust, after some threshold > has passed (wall time without changed cert, or number of successful requests, > or something). > > -Ben >
- Re: [kitten] ID-Action: draft-williams-kitten-krb… Benjamin Kaduk
- Re: [kitten] ID-Action: draft-williams-kitten-krb… Benjamin Kaduk
- Re: [kitten] ID-Action: draft-williams-kitten-krb… Nico Williams