IETF Logo Mail Archive

Re: [kitten] draft-ietf-kitten-iakerb-02

Benjamin Kaduk <kaduk@MIT.EDU> Fri, 24 October 2014 22:08 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAFED1AC3A6 for <kitten@ietfa.amsl.com>; Fri, 24 Oct 2014 15:08:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QNarI4K5OkTp for <kitten@ietfa.amsl.com>; Fri, 24 Oct 2014 15:08:48 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BAA11ABD35 for <kitten@ietf.org>; Fri, 24 Oct 2014 15:08:48 -0700 (PDT)
X-AuditID: 1209190d-f79c06d000006f95-96-544acdee047f
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 81.18.28565.EEDCA445; Fri, 24 Oct 2014 18:08:47 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id s9OM8kog020942; Fri, 24 Oct 2014 18:08:46 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s9OM8iaA015951 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 24 Oct 2014 18:08:45 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s9OM8iLo029879; Fri, 24 Oct 2014 18:08:44 -0400 (EDT)
Date: Fri, 24 Oct 2014 18:08:44 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Greg Hudson <ghudson@MIT.EDU>
In-Reply-To: <54402CAC.3010209@mit.edu>
Message-ID: <alpine.GSO.1.10.1410241543520.27826@multics.mit.edu>
References: <alpine.GSO.1.10.1410141053220.27826@multics.mit.edu> <54402CAC.3010209@mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrEIsWRmVeSWpSXmKPExsUixG6novv+rFeIwa1eJoujm1exODB6LFny kymAMYrLJiU1J7MstUjfLoErY/O/Z8wFO/gqTl2+yNzAeJC7i5GTQ0LARGL353OMELaYxIV7 69m6GLk4hARmM0msP30ZytnIKHG5bT6Uc4hJ4uC5+YwQTgOjxMTTV1hA+lkEtCX6n29iBbHZ BFQkZr7ZyAZiiwgoSvxe+RZsB7OAsMT6czOYQWxhAUOJ5xN+A8U5ODgF1CUWPJcBMXkFHCU6 FkqAVAgJxEismzwNbKKogI7E6v1TwDbxCghKnJz5hAViopbE8unbWCYwCs5CkpqFJLWAkWkV o2xKbpVubmJmTnFqsm5xcmJeXmqRrpFebmaJXmpK6SZGUFBySvLuYHx3UOkQowAHoxIPr8Fs zxAh1sSy4srcQ4ySHExKoryfT3uFCPEl5adUZiQWZ8QXleakFh9ilOBgVhLh3bANKMebklhZ lVqUD5OS5mBREufd9IMvREggPbEkNTs1tSC1CCYrw8GhJMFrCYw+IcGi1PTUirTMnBKENBMH J8hwHqDh+86ADC8uSMwtzkyHyJ9iVJQS580GSQiAJDJK8+B6YUnjFaM40CvCvC4gK3iACQeu +xXQYCagwfEbPEAGlyQipKQaGEuOsEnvnn8hwH7uvNdTmgr907asze8ueG9od710bu7xqE2h 5wLZqmfIOb+bKH7TqHXNpTti30sev5XVZT6hHLe4U0r/RIDBGp6IlaJ1em4rn3t0SyQE+8rX LU74Wfln64rpbS6+jIyJKReu9B/8s+z90VOPP7+sCS5nmSTuuPa/fXmmc1PtHyWW4oxEQy3m ouJEAO0d+KP1AgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/wnVMDMyyZqxgvlYAwoAfrGy9k8o
Cc: kitten@ietf.org
Subject: Re: [kitten] draft-ietf-kitten-iakerb-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 22:08:52 -0000

On Thu, 16 Oct 2014, Greg Hudson wrote:

> "tickts" is a typo.
>
> "Yes, the tags start at 1" might be more professionally stated as "Note
> that the tag numbers start at 1."

Thanks, patched in my local branch.

> "Since the GSS-API acceptor can act as a Kerberos acceptor, it always
> has an associated Kerberos realm."  This does not follow.  To be a
> Kerberos acceptor, all you need are some keys to decrypt AP-REQ
> authenticators with.  You might have keys from multiple realms.  There
> should be guidance on what to do if the acceptor has no default realm.

Well, it has at least one realm that it knows exists.  (I guess it need
not strictly speaking know where the KDCs for that realm are...)  This
case where the client needs to resolve an enterprise name but doesn't have
a local realm may not be terribly common, so it might be okay to just fail
the GSS negotiation at this point.  Alternately, the acceptor could pick
an arbitrary realm it can accept tickets from.  The latter seems to allow
things to work in more cases than the former, and I don't think it would
make any cases worse than the former, so I'll probably go with the latter.

> "(including the generic token framing of the GSSAPI-Token type from
> [RFC4121])" should reference RFC 2743, shouldn't it?

In 2743, the corresponding type is InitialContextToken, which is why I
made that choice.  Looking more carefully, it also has
SubsequentContextToken ::= innerContextToken ANY
so maybe that's less of an issue than I thought.  And 4121 refers back to
section 3.1 of 2743 as the normative source of the framing, "illustrated
by the following pseudo-ASN.1 structures", so I think you're right that
2743 is the right reference.

So, "including the generic token framing of the InnerContextToken type
from [RFC 2743]", then?


-Ben

v2.23.0 | Report a Bug | By Email