IETF Logo Mail Archive

Re: [kitten] Replacing Kerberos

Watson Ladd <watsonbladd@gmail.com> Mon, 27 February 2023 00:48 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44E2EC14CE52 for <kitten@ietfa.amsl.com>; Sun, 26 Feb 2023 16:48:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id owiHrWj7nIuo for <kitten@ietfa.amsl.com>; Sun, 26 Feb 2023 16:48:45 -0800 (PST)
Received: from mail-oa1-x2b.google.com (mail-oa1-x2b.google.com [IPv6:2001:4860:4864:20::2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E79DEC14F730 for <kitten@ietf.org>; Sun, 26 Feb 2023 16:48:45 -0800 (PST)
Received: by mail-oa1-x2b.google.com with SMTP id 586e51a60fabf-172b0ba97b0so5958434fac.4 for <kitten@ietf.org>; Sun, 26 Feb 2023 16:48:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=BIYMgeu7ct7Q2EOxS1ejowNoam82efB+BfFzEJyDKpw=; b=lyeJaEQIy79OAvM3lAQTy/gGl8KpMyiS92Pbm8UOjCwc3oWi6H4gZr6qN4+RuVZE6Z x+vVQcjoGyUDb8qv1uPqdmrCMGvifmxxVr8G18jEBv3h2LjuOYWB67LTLDdtQkMQgDoK Duoktcjd1EfHQ0h07l6pdczHCht+BzIsnjKZrl8m7TWZU5zsCw8molmSUlyvLazTvLt9 D5R3IDxD0CDP4oDYxmYG+vcB5ZDPoBT03Dwzwy6cjNLWm5MbltBNbH5aG1h2Wzco07ZU dvDT8G0llHgAazmG+XoONEW78arUA6+hMP/IiLt88MmDRR9rDVsnc9aKj1juD+UzIku3 AVlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BIYMgeu7ct7Q2EOxS1ejowNoam82efB+BfFzEJyDKpw=; b=Kt+jd7Q4FDv6Ep24MRvncAMc3g3ap9ISOYV3OudOvoIPtlSIKHE90j6AYHHxEKAaVH dR8S8Ofrya1OzF/FcoIw6YJ4r0kY7cxsbRBEiZNBSa7zJlVnsTrhEJmlZjgeStH3nSD+ BdkIdrZU6IcslDqqZ19bLRBlZcDC/lu6V2vCc+uZT3vUCnM9FYjUSLIBKBMtSmckOf8C mMSf5gpo++R8HIQjwC+AvHtjJaBWhi5nSTSldMSlhPnTpCCzy1bpaG5erD4TXAe3wW0k jnbPf4K2JVJX1JOCNGSf+EubqXuGtEpGNiVNLWx8Za/sgonraOOTNabZKz4/Eh63//Sq 4lgQ==
X-Gm-Message-State: AO0yUKUx38+w0MgHxGcxh/6Jlvw4n55MwcRQH8mPQLSfLZe/W2QIVHxD mu3JOf4fxn4rPZNvM4QE4D57aEHV6Kn5ajRAuN7uTxrz
X-Google-Smtp-Source: AK7set/3PuvAoMZfsaTDnrOu8+CFNvaIJgRJvz5RJBeQQR/oAb0mDwMQFenJM9wKBVeRYtdlAFnte8MlhKE/T/FNvYs=
X-Received: by 2002:a05:6870:172a:b0:16f:375e:329d with SMTP id h42-20020a056870172a00b0016f375e329dmr3039965oae.4.1677458925006; Sun, 26 Feb 2023 16:48:45 -0800 (PST)
MIME-Version: 1.0
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/GFY3wTO+TBg638@gmail.com> <134D46FA-1E2A-4DB0-9B8D-6897136972CA@e43.eu> <Y/fNaFUq3YMjhahD@gmail.com> <3254E2DC-A6A8-4071-B3EB-BBD73056547C@e43.eu>
In-Reply-To: <3254E2DC-A6A8-4071-B3EB-BBD73056547C@e43.eu>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sun, 26 Feb 2023 16:48:34 -0800
Message-ID: <CACsn0c=dNOf_hFXboFkb=oqANHZkN3wj=GfPQTfD2ENdT0UM9A@mail.gmail.com>
To: Erin Shepherd <erin.shepherd@e43.eu>
Cc: Nico Williams <nico@cryptonector.com>, "kitten@ietf.org" <kitten@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/wr1ciXerGox3Rz64eezyRnLhRGc>
Subject: Re: [kitten] Replacing Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2023 00:48:46 -0000

On Sun, Feb 26, 2023 at 4:29 PM Erin Shepherd <erin.shepherd@e43.eu> wrote:
>
>
>
> On 23 Feb 2023, at 21:32, Nico Williams <nico@cryptonector.com> wrote:
>
> On Thu, Feb 23, 2023 at 09:20:49PM +0100, Erin Shepherd wrote:
>
> - the ability to use this mechanism as a TLS 1.3 PSK
>
>
> What I meant above by "the ability to use this mechanism as a TLS 1.3
> PSK" is that TLS applications should be able to use Kerberos / Kerberos
> replacement in TLS a la RFC 2712 (which is essentially obsolete and
> broken).
>
>
> So effectively a standardised way of using it as a TLS keying material importer?
> Makes a lot of sense.

I don't think that's the right way to do it. Instead I'd use the TLS
exporter to produce a channel binding to a kerberized authentication.

That would fit the TLS 1.3 proofs more cleanly and permit coexistence
with other forms of user auth with less impedence. But I'm very open
to being convinced otherwise.

Sincerely,
Watson

v2.23.0 | Report a Bug | By Email