IETF Logo Mail Archive

[kitten] Is id-pkinit-san misnamed? Can it be reused by kca?

Nico Williams <nico@cryptonector.com> Thu, 05 December 2013 07:19 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F2D21A1F74 for <kitten@ietfa.amsl.com>; Wed, 4 Dec 2013 23:19:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_12LTRDOM=1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pLf-LAriY5cF for <kitten@ietfa.amsl.com>; Wed, 4 Dec 2013 23:18:59 -0800 (PST)
Received: from homiemail-a70.g.dreamhost.com (caiajhbdcaid.dreamhost.com [208.97.132.83]) by ietfa.amsl.com (Postfix) with ESMTP id C549D1A1F5D for <kitten@ietf.org>; Wed, 4 Dec 2013 23:18:59 -0800 (PST)
Received: from homiemail-a70.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTP id B52C576806F for <kitten@ietf.org>; Wed, 4 Dec 2013 23:18:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:mime-version:content-type; s= cryptonector.com; bh=g466QncW02JmiJE9uavv0p+ORkE=; b=wWxsNRGYPee 7QPbarzf8q7SogFTmJ9U2w7DD1PEUufnbaiLppn97XH0q/2pwefPZN4a+VdY3A4y R1WXKCm4T5bVYWR4gHvV9kWvDlsLjBp/5NveY60/rmUvuIPWTFxmVrOUPYXcaRkK UsLXrbbAqtBKZ2+bzd92+P+lNGGEaDdM=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTPA id 65C6276806C for <kitten@ietf.org>; Wed, 4 Dec 2013 23:18:56 -0800 (PST)
Date: Thu, 05 Dec 2013 01:18:55 -0600
From: Nico Williams <nico@cryptonector.com>
To: kitten@ietf.org
Message-ID: <20131205071852.GO21240@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [kitten] Is id-pkinit-san misnamed? Can it be reused by kca?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 07:19:00 -0000

PKINIT (RFC4556) adds a PKIX certicate SAN (id-pkinit-san) for representing Kerberos
principal names of AS clients and servers.

I believe that id-pkinit-san does not denote "for PKINIT", and therefore
was misnamed.  It should have been named id-kerberos-san.

Presense of a id-pkinit-san in a certificate is not sufficient to grant
the subject access to the given Kerberos principal name nor to resources
that that name is authorized to access.  Additional policy is needed,
and I believe the RFC is clear about this.

I ask because I'd like RFC6717 (kerberized online CA protocol) servers
to include the client's cname and crealm in an id-pkinit-san in the
certificate to be issued.  I see no reason not to, though it is probably
important to note that the kx509 service's PKIX issuer credentials
should not be acceptable as issuers of PKINIT client certs by any KDCs
(particularly the same as the issuing kx509 service's realm's)...

...unless one *really* wants to use Kerberos->kx509->PKINIT as a form of
PKCROSS... :)

...which conveniently just happens to be my proposal for PKCROSS!

Nico
--

v2.30.2 | Report a Bug | By Email | System Status