Re: [kitten] Kerberos extra round trips I-D revised
Benjamin Kaduk <kaduk@MIT.EDU> Sun, 09 November 2014 01:41 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FBFD1A00F5 for <kitten@ietfa.amsl.com>; Sat, 8 Nov 2014 17:41:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.795
X-Spam-Level:
X-Spam-Status: No, score=-4.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pUxIfN66I0Xc for <kitten@ietfa.amsl.com>; Sat, 8 Nov 2014 17:41:17 -0800 (PST)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 573FF1A00F2 for <kitten@ietf.org>; Sat, 8 Nov 2014 17:41:16 -0800 (PST)
X-AuditID: 12074424-f79346d000004923-f8-545ec63b5441
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id D9.24.18723.B36CE545; Sat, 8 Nov 2014 20:41:15 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id sA91fFwV003602; Sat, 8 Nov 2014 20:41:15 -0500
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sA91fCU9007276 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 8 Nov 2014 20:41:14 -0500
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id sA91fCJ2029290; Sat, 8 Nov 2014 20:41:12 -0500 (EST)
Date: Sat, 08 Nov 2014 20:41:12 -0500
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Nico Williams <nico@cryptonector.com>
In-Reply-To: <20141107214348.GW7913@localhost>
Message-ID: <alpine.GSO.1.10.1411082036360.27826@multics.mit.edu>
References: <20141027071704.GC14215@localhost> <alpine.GSO.1.10.1411071543280.27826@multics.mit.edu> <20141107214348.GW7913@localhost>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLIsWRmVeSWpSXmKPExsUixCmqrWt9LC7E4PVlU4ujm1exWJy6doTN gcnj5alzjB5LlvxkCmCK4rJJSc3JLEst0rdL4MpYOnUHW0GPYMXG99uYGxh38HYxcnJICJhI 9D3exAphi0lcuLeerYuRi0NIYDaTxNVJSxghnA2MEvMeXWCHcA4ySXyb+IkdpEVIoF7id+9B MJtFQEvi2PpvYKPYBFQkZr7ZyAZiiwhoSlyftxTMZhYQllh/bgYziC0sYCOx5fI7oF4ODk4B PYnXEyRAwrwCjhI7V7dC7WpjlLg2fwrYTFEBHYnV+6ewQBQJSpyc+YQFYqaWxPLp21gmMArO QpKahSS1gJFpFaNsSm6Vbm5iZk5xarJucXJiXl5qka65Xm5miV5qSukmRlCosruo7GBsPqR0 iFGAg1GJh/dGS2yIEGtiWXFl7iFGSQ4mJVFe+71xIUJ8SfkplRmJxRnxRaU5qcWHGCU4mJVE eJd3A+V4UxIrq1KL8mFS0hwsSuK8m37whQgJpCeWpGanphakFsFkZTg4lCR4HxwBahQsSk1P rUjLzClBSDNxcIIM5wEaHnwUZHhxQWJucWY6RP4Uo6KUOO85kGYBkERGaR5cLyyVvGIUB3pF mDcOpJ0HmIbgul8BDWYCGuw3MQZkcEkiQkqqgTFYT7BKkDX/0u2DS1fK3vqz9qOJGs/6pcyP 41bPmr3roeX8ZSePn5s9YdbKy7xVffvTJh5M+q3jcVhtYuy/OIaDl9PEC13naCQyujpdyIy8 NUenJdSyZz1X74lrG+/xzBS88mORhv+ig8uMV3NEC2zo1jPredFnPMdRSo19Qvrcgz5FGdOt TgoqsRRnJBpqMRcVJwIAMbdKdQADAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/yEXG0dQnAIPvGpGwEAxLazm2ohA
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos extra round trips I-D revised
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Nov 2014 01:41:19 -0000
On Fri, 7 Nov 2014, Nico Williams wrote: > On Fri, Nov 07, 2014 at 04:13:06PM -0500, Benjamin Kaduk wrote: > > On Mon, 27 Oct 2014, Nico Williams wrote: > > My summary is: [...] > > That's a fine summary. (Except that I think we seem to agree that > there's no need for an initiator->acceptor error context token.) Well, I think the acceptor application should be prepared to handle one if it gets one, but maybe the initiator doesn't always need to make/send one. > > [[anchor2: Question: how should we address this? We could say "give > > priority to the user-to-user mechanism", but in some cases that might > > require changes to the acceptor side.]] > > > > This refers to the potential for conflict with > > draft-swift-win2k-krb-user2user, which I haven't read, so I can't say much > > about. > > Consider an initiator app with a mech with these extensions *and* an > implementation of draft-swift-win2k-krb-user2user. Now imagine this app > talks to an acceptor app that also has both mechanisms but not these > extensions. Can we accidentally end up failing to setup a security > context? > > That was my question. Right, that was clear to me from reading the draft; I just don't have an answer. > > [[anchor3: We could use the GSS_EXTS_FINISHED extension from > > draft-ietf-kitten-iakerb to implement a strong binding of all context > > tokens.]] > > > > I haven't thought about things hard enough to decide whether the gain in > > strength of binding is worth the extra work. > > I think it's not worth the extra work, but it's important that the > acceptor either insist that the cname/crealm of the two AP-REQs be the > same, or else ignore the cname/crealm from the first AP-REQ and then > rely only on the second AP-REQ's cname/crealm. I feel uneasy about the > latter. For PROT_READY purposes it would be convenient if the two I also feel uneasy about the latter. -Ben > Authenticators asserted the same sub-session keys too. I don't think > there's any need to bind any more of the exchange, but then, I like the > binding everything as a generic defensive design security principle.
- [kitten] Kerberos extra round trips I-D revised Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Benjamin Kaduk
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Benjamin Kaduk
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Greg Hudson
- Re: [kitten] Kerberos extra round trips I-D revis… Greg Hudson
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Greg Hudson
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams