IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Wed, 22 February 2023 00:51 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 724BEC188733 for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 16:51:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3dNwT2T96o3H for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 16:50:59 -0800 (PST)
Received: from purple.birch.relay.mailchannels.net (purple.birch.relay.mailchannels.net [23.83.209.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68629C18412B for <kitten@ietf.org>; Tue, 21 Feb 2023 16:50:59 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 80E1F7607C0; Wed, 22 Feb 2023 00:50:58 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 11B0D760986; Wed, 22 Feb 2023 00:50:58 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1677027058; a=rsa-sha256; cv=none; b=Ohx07R1eWpjWwgopzxHWd9ne9lmqoqFfzGkmUSF6CrzKJVnQkQf4+dp+qxa6202yK3BX02 tY5zl5JOXywwoGtcteI/CHDIJ5rrNtO0brdhkAurtSK2+fq4YnKZTyvNlXAow7OaLnKl62 DymDiwUKOqxkzNAUn42pg5/0WzmG6WUyUe2ZaQCo0pIMx6Ieu6qeIbt/pHDmQNf38MQs51 qn3l5ausa95KhUtCKrsthbtr9M5SyfJr99y+ggLQ540I9jzEKf468uL/vhY05lewQO2IQd c9fMljNW9F14p2NuWvq2SbIBJ3p478FRAPldHkoa5UA5LdfD3gYu8+5M122BqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1677027058; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=S5Ns741URI+6N6QpUj3L0xWR6Br2wSie2xPhivXDIXw=; b=55i7r6d8nXPN0GIxgeX8wRn13Z+QPd4EE49Va2PJzbCBZYC5SpZP7+xzgdiNQrtHwthbrb Id5Wb3Bxi7Oikey+faCBiywIflO6hEDDEeR28Vz3E24gpnyvAD8jeRM7KJX7A+57hA4ujT L/sL9CtUNVWM7dI4JRN7OONA5m8s9FMKPVUZ6sbAtuFC/9hQfnrkUzgTrOTU75M3hRXOBL +WemXRE8CtAyULkAhVvMLIA8t9Ukm3BmnZThL1Jq3HDES/hz4q77hx2eoP2tY+urcqGcZ3 xbjpjV7pR8nGM+t4S3QG/bVADYHQgytkVqA38N14jodC4k12tjwgHgEcPUNy7g==
ARC-Authentication-Results: i=1; rspamd-5db48964c-6rpcd; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Shade-Shelf: 4efaf80a61dcee96_1677027058321_389389223
X-MC-Loop-Signature: 1677027058321:1309412733
X-MC-Ingress-Time: 1677027058321
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.107.134.126 (trex/6.7.1); Wed, 22 Feb 2023 00:50:58 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PLyJK2fT3zBR; Tue, 21 Feb 2023 16:50:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1677027057; bh=S5Ns741URI+6N6QpUj3L0xWR6Br2wSie2xPhivXDIXw=; h=Date:From:To:Cc:Subject:Content-Type; b=a2/JDQrsxdIenlgmuspCAKlDTxy/Porh/DS7TzDdaQbeymRR1CbawBtj4LW6+fbZT QvvL7kG6+nDwx8XHZ/wMWSqYWJOPlpzX+ktQtouSrbE9k05LWqKkwvApQwwcCLdQEf yR0m+DgN3jligZDSeghtA/AZuZrGWCJkR4Do5DfbRiv+EqGzDNe2Wp8v3w6RW7DlLb 3IaXPP/IQ1sGuK5OZ0NVfcQlC8XX6261uoa2SJI0Jh91YHeK1kaEG3lmpj6Y4jrlOv 2hkyvmFeVRJjypahi6XLL6eUiR47GJw9V+ByHh2zk3+I4ld3gsgyh1qWUVAhul5bt2 E9aVDompseHlA==
Date: Tue, 21 Feb 2023 18:50:55 -0600
From: Nico Williams <nico@cryptonector.com>
To: Simo Sorce <simo@redhat.com>
Cc: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/Vm72If5s48t+hT@gmail.com>
References: <20230219194355.36139173DDE@pb-smtp2.pobox.com> <Y/K2IEhX6c+b05Ye@gmail.com> <Y/QT7BxdTHq0RYTz@gmail.com> <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com> <Y/Q7hdTOF1HaxQKM@gmail.com> <Y/RFX4XywCAlhCeB@gmail.com> <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com> <79d730c13949d649783a0e565a8c108abad944a1.camel@redhat.com> <Y/U5zbEFm6pGHIS1@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Y/U5zbEFm6pGHIS1@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/wcHADuvv1gYCd3UOQcRzlxE7DsM>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2023 00:51:03 -0000

If we were building a Needham-Schroeder protocol from scratch to replace
Kerberos, why wouldn't we use HTTP as the transport for all protocols
involving the KDC?

I've no doubt that we would do that.

And we'd use JSON for the encoding rules, too, no doubt.

And we'd have to have a bearer token form, which would be not at all
unlike the existing symmetrically-encrypted JWT option.

I suggest that everything new we build for Kerberos should be based on
HTTP.  That's what I've been doing in Heimdal.

Nico
--

v2.23.0 | Report a Bug | By Email