IETF Logo Mail Archive

Re: [kitten] ID-Action: draft-williams-kitten-krb5-pkcross-01

Benjamin Kaduk <kaduk@mit.edu> Fri, 09 August 2013 18:16 UTC

Return-Path: <kaduk@MIT.EDU>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2965D11E8149 for <kitten@ietfa.amsl.com>; Fri, 9 Aug 2013 11:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.053
X-Spam-Level:
X-Spam-Status: No, score=-3.053 tagged_above=-999 required=5 tests=[AWL=-0.454, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RUyM+AhfC+CZ for <kitten@ietfa.amsl.com>; Fri, 9 Aug 2013 11:16:26 -0700 (PDT)
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) by ietfa.amsl.com (Postfix) with ESMTP id 50C4D11E8133 for <kitten@ietf.org>; Fri, 9 Aug 2013 11:10:57 -0700 (PDT)
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id r79I357t006971; Fri, 9 Aug 2013 14:03:05 -0400 (EDT)
Date: Fri, 09 Aug 2013 14:03:04 -0400
From: Benjamin Kaduk <kaduk@mit.edu>
To: kitten@ietf.org
In-Reply-To: <alpine.GSO.1.10.1308091323410.24720@multics.mit.edu>
Message-ID: <alpine.GSO.1.10.1308091402330.24720@multics.mit.edu>
References: <alpine.GSO.1.10.1308091323410.24720@multics.mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Subject: Re: [kitten] ID-Action: draft-williams-kitten-krb5-pkcross-01
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2013 18:16:32 -0000

Forgot to note: you cite draft-hotz-kx509-06, but it is RFC 6717, now.

On Fri, 9 Aug 2013, Benjamin Kaduk wrote:

> [again no in-reply-to, sorry]
>
> I've looked over this document, though I did not do a full-depth review of 
> it.
>
> The scheme is intellectually appealing, or at least amusing, and on paper it 
> seems to help with the issues related to cross-realm trusts.  I just can't 
> shake the feeling that it won't be adopted in the real world, though, and I'm 
> not sure why.  This makes me reluctant to spend much time trying to move it 
> forward without some indication that it would gain traction.
>
> Another reason for reluctance is that the propsal wants one of the 
> relatively-scarce KDCOptions flag bits.
>
> It looks like USE-SESSION-KEY-AS-REALM-KEY will only do one direction of 
> trust (at a time)?  So a bidirectional trust would still require initiation 
> from both sides (as it should).  It might be worth mentioning that 
> explicitly, even though it follows directly from the directions of trust 
> having different principal names.
>
> In section 2.1, I don't really understand the motivation for (d).
>
> Section 3 makes me wonder if there is some discussion to be had about the KDC 
> allowing/disallowing itself of making signatures of users' PKCROSS 
> certificates when there does exist a symmetric key between the realms. That 
> is, allowing new certs to be signed would preserve the privacy property, but 
> requires more work (?) and reduces auditability.
>
> In section 4, there might be something to be said about setting 
> TRANSITED-POLICY-CHECKED for a cached/post-LoF trust, after some threshold 
> has passed (wall time without changed cert, or number of successful requests, 
> or something).
>
> -Ben
>

v2.23.0 | Report a Bug | By Email