[kitten] IETF 92 Meeting Minutes (DRAFT)

⌘ Matt Miller <mamille2@cisco.com> Mon, 30 March 2015 18:30 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B04DA1AC3B4 for <kitten@ietfa.amsl.com>; Mon, 30 Mar 2015 11:30:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.511
X-Spam-Level:
X-Spam-Status: No, score=-11.511 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79EVWb3xVDUa for <kitten@ietfa.amsl.com>; Mon, 30 Mar 2015 11:30:37 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44F5F1A9308 for <kitten@ietf.org>; Mon, 30 Mar 2015 11:30:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7217; q=dns/txt; s=iport; t=1427740237; x=1428949837; h=message-id:date:from:mime-version:to:subject: content-transfer-encoding; bh=Ng7zaHkdlIPF+IRm4IUyJVcnBRUM4JBz5VUpl3HuQlA=; b=AaLdv5UHSxsl3fUJqanTGl7KMJ/5RrAhAquOukXB6SFcfI5T8cVq1996 EAhI8KjGG7EvQlNvWFls/XRaaBoruAe0WyBI02q/a1ZaB6gVjdOs4SKX3 kjQcG/tYguFF3uPNsfVe1GcA8i5zZjgdakm6g7ITQ6J+smUsXq+ciAQNl w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DqBAAklRlV/4wNJK1cgwZSWgSDDMBZgUeHODgUAQEBAQEBAXyEOAZFAwMKNgIFDwcLAgsDAgECATUCARMNBgIBAYgrowOPTJoCAQEBAQYBAQEBAQEYBIEhjjBkglCBRQWFC4YHiSuFf4EbgzCCOCGGE4Mrg0ciggEdgW9QgUR/AQEB
X-IronPort-AV: E=Sophos;i="5.11,495,1422921600"; d="scan'208";a="136607287"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by alln-iport-8.cisco.com with ESMTP; 30 Mar 2015 18:30:36 +0000
Received: from xhc-aln-x08.cisco.com (xhc-aln-x08.cisco.com [173.36.12.82]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id t2UIUaUU005084 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <kitten@ietf.org>; Mon, 30 Mar 2015 18:30:36 GMT
Received: from [10.129.24.55] (10.129.24.55) by xhc-aln-x08.cisco.com (173.36.12.82) with Microsoft SMTP Server (TLS) id 14.3.195.1; Mon, 30 Mar 2015 13:30:36 -0500
Message-ID: <5519964B.6010008@cisco.com>
Date: Mon, 30 Mar 2015 12:30:35 -0600
From: =?UTF-8?B?4oyYIE1hdHQgTWlsbGVy?= <mamille2@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: "kitten@ietf.org" <kitten@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.129.24.55]
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/zZCahun_sTYyKrwamYwXRwl9eHQ>
Subject: [kitten] IETF 92 Meeting Minutes (DRAFT)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 18:30:39 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello all,

Below are the draft meeting minutes from the IETF 92 session on Friday
(03/27).  Please send corrections to the list or the chairs
(kitten-chairs@tools.ietf.org).  These will be posted to the meeting
materials site within the next couple of days.

Special thanks again to Jim Schaad for taking minutes!


- -  Your kitten co-chairs


- -----BEGIN MINUTES-----
IETF 92 - kitten Working Group Minutes
================================================================

Location: IETF 92, Dallas, TX, US (Fairmont Dallas)
Room: Far East
Time: 2015-03-27 1150-1320

Co-Chairs:
  Ben Kaduk
  Matt Miller
  Shawn Emery (really outgoing this time)

Scribe:
  Jim Schaad

Action Items
================================================================

1) draft-ietf-kitten-rfc4402bis
   * Shawn Emery to submit new draft as soon as he gets access
     to the file

2) draft-ietf-kitten-rfc6112bis
   * Shawn Emery to submit new draft, but may not be until end
     of May 2015

3) draft-ietf-kitten-rfc5653bis
   * Chairs to take discussion on Java Stream API to list

4) draft-josefsson-kitten-gs2bis / draft-josefsson-sasl-tls-cb
   * Chairs to work on draft "liaison statement" to TLS WG about
     the need for a functional "tls unique"

5) draft-ietf-krb-wg-pkinit-alg-agility
   * Someone (Chairs?) to revive missing edits on the mailing list

6) Non-WG drafts
   * Chairs to discuss how/when to call for adoption of drafts.

Conference Session
================================================================

1.   Preliminaries (5 min)

2.   Active WG items (20 min)

Chairs briefly review the status of each document, and discuss
any open issues and/or recent comments on each.


2.1  CAMMAC        draft-ietf-kitten-cammac

2.2  GSS-Loop      draft-ietf-kitten-gss-loop

2.3  SASL/OAuth    draft-ietf-kitten-sasl-oauth

2.4  4402 Update   draft-ietf-kitten-rfc4402bis

Shawn Emery will submit new draft as soon as he gets access to
the file.


2.5  6112 Update   draft-ietf-kitten-rfc6112bis

Shawn Emery will do it but may take until the end of May


2.6  5653 Update   draft-ietf-kitten-rfc5653bis

Nico Williams thinks that the steam stuff can be removed.  The
GSI folks uses a self framing method with TLS, one could have
used the JAVA streaming that way but not as specified.

Chairs will take this discussion to the list.


2.7  AES/SHA2      draft-ietf-kitten-aes-cts-hmac-sha2

2.8  PKINIT-Fresh  draft-ietf-kitten-pkinit-freshness

2.9  SASL-SAML-EC  draft-ietf-kitten-sasl-saml-ec

2.10 IAKERB        draft-ietf-kitten-iakerb

Nico thinks should have a mechanism attribute which states that
the mechanism might not succeed.  There are some applications
which need to avoid this state, i.e. they must always succeed.


2.11 Auth-Ind      draft-ietf-kitten-krb-auth-indicator

2.12 GS2 Update    draft-josefsson-kitten-gs2bis

Need to get a new channel binding (e.g.,
draft-josefsson-sasl-tls-cb) until TLS session hash fix gets
rolled out.

Nico says that you need to have the session hash from TLS to be
correct.

This will also be necessary for the Token Binding WG
as well.

Need to have the chairs draft a message asking for changes from
the TLS working group to get real channel bindings.


2.13 IANA-reg      draft-ietf-kitten-gssapi-extensions-iana

Tom Yu believes he can get it done in one or two meetings
cycles, but needs help getting reviews done.


2.14 Channel Bound draft-ietf-kitten-channel-bound-flag

Nico Williams is interested in moving this forward, but does
not have cycles for this.  He needs help to get the state
swapped back in. Simo Sorce from the jabber room would like to
assist with this.


2.15 PKINIT-alg    draft-ietf-krb-wg-pkinit-alg-agility

Need to revive the one missing edit back to the list and Bill
Mills can finish with the edits.


3.   Kerberos PAD (10 minutes)

Ben Kaduk discussed use cases and requests seen by Simo that
motivate reviving the Kerberos PAD draft.

Nico Williams says this is starting to look like SIDS - NFS
people might like this

Group and user identification numbers need to be scoped correctly.

Will be crossing name space boundaries when you cross realms

Shawn Emery would also like a GSS-API interface

Nico Williams says you should be able to get a smaller ticket
from a service in exchange for the large ticket with all of
your data in it.

Stephen Farrel says that we should check with Microsoft to see
if any IPR issues still apply. existing

Nico Williams states that if inclusion of POSIX information is
covered by IPR, this whole effort is probably dead.


4.   Deprecating old Kerberos encryption types (10 minutes)

Ben Kaduk presented draft-kaduk-kitten-des-des-des-die-die-die

 Kenny Patterson asks about key strengths.  The key values
 could either be randomly generated or derived from passwords.
 If derived from passwords, biases in RC4 is the least of your
 attack in these issues.

Shawn Emery says that some of the newer mechanisms replace
password derived key generation is in stream

Bill Mills says that elimination of Windows XP and 2003 servers
by the PCI compliance enforcement.


5. Kerberos Service Discovery

Ben Kaduk talked about draft-mccallum-kitten-krb-service-discovery.

Nico supports the draft as does Simo Sorce.


6.   Extra round trips in Kerberos (10 minutes)

Nico will present draft-williams-kitten-krb5-extra-rt

Shawn Emery agrees this would be helpful.


7.   GSS-only Kerberos encryption types (10 minutes)

Nico Williams talked about this proposal to bring in, e.g., GCM
mode for improved performance

Ben Kaduk notes that there are several name type registry
entries with strong restrictions on usage context


8.   PKCROSS (10 minutes)

Nico Williams talked about draft-williams-kitten-krb5-pkcross
and the various alternate proposals which have been made.


9.   GSS generic naming attribues (10 minutes)

Nico Williams talked about
draft-williams-kitten-generic-naming-attributes

10.  Open mic (5 min)

Nico Williams regarding the registry - we may be able to drop a
couple of these documents and go directly to IANA expert review on
them.

Chairs poll the room to see how many of the non-WG drafts
people have read, in preparation for a call for adoption.
Poor showing in the room-- generally the same 3 or 4 individuals.

Chairs need to discuss how and when to call for adoption on some
or all of the non-WG documents.
- -----END MINUTES-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJVGZZLAAoJEDWi+S0W7cO1jmUH/1oxyQdbQ0YchW5cQGQAXuhX
x+s4IIjnNSR0j3uBYXSeVn++2sZ7ZdirmToWVmZ/mtqrW0AErRWjEi+c7qk9u0MG
ROQAA6Ug6JzmEal43nQk7NiW+Kc8NvitR4oTJPVvYymrqk6OpDW6aEGSF1An762h
KfZ51Lg2eVuJfZ+Im1T6Tx/ane6jORk46otuPg6sol94cXBmFGMv3KTwcBteKbgk
8oNQZmHrUtlPCQCacJ9ouSrPJeXmvq4pC6Hov5qYOLn7je4f5qk+c+K7TRZospUW
PLhBxkhrlAYgO4b7ppRw8xDUcrOrztrIM9mrsiXjckJrgPpbyUrM0GLCRWqzdwA=
=JvfT
-----END PGP SIGNATURE-----