Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-general-pac-02
Nico Williams <nico@cryptonector.com> Tue, 05 July 2011 20:34 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75D821F88CF for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Tue, 5 Jul 2011 13:34:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.177
X-Spam-Level:
X-Spam-Status: No, score=-4.177 tagged_above=-999 required=5 tests=[AWL=1.200, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-GKzp93tTfg for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Tue, 5 Jul 2011 13:34:40 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 9416A21F88CE for <krb-wg-archive@lists.ietf.org>; Tue, 5 Jul 2011 13:34:40 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 44A186B; Tue, 5 Jul 2011 15:34:40 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id ACFEB6D; Tue, 5 Jul 2011 15:34:39 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 8295F80E9C; Tue, 5 Jul 2011 15:34:39 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 6E88180E88 for <ietf-krb-wg@lists.anl.gov>; Tue, 5 Jul 2011 15:34:38 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 579937CC09C; Tue, 5 Jul 2011 15:34:38 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16271-10; Tue, 5 Jul 2011 15:34:38 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 303167CC098 for <ietf-krb-wg@lists.anl.gov>; Tue, 5 Jul 2011 15:34:38 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjoDANF0E07QYYRCcGdsb2JhbAAzChaEQqM/HAEMCA4HFAMiiHqmSotogxCNXwEEgSuDf4EMh0OKd4wjPIN1
X-IronPort-AV: E=Sophos;i="4.65,481,1304312400"; d="scan'208";a="62921487"
Received: from caiajhbdcagg.dreamhost.com (HELO homiemail-a71.g.dreamhost.com) ([208.97.132.66]) by mailgateway.anl.gov with ESMTP; 05 Jul 2011 15:34:37 -0500
Received: from homiemail-a71.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a71.g.dreamhost.com (Postfix) with ESMTP id 46F5C428078 for <ietf-krb-wg@lists.anl.gov>; Tue, 5 Jul 2011 13:34:37 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=upMlexmJEaj1w5dXDvOyy CLmFJM/GRiYc+MBKg5InqNJU6WXaPA6+mDpW+HAsm2M8YgTcJlpvvp1NgP5LStHW 8o/a0fvd8EqohIUsQrj9AHK42Ix+y8mqzBrCDFualwMQTgBcc6kiHdGHwytZGTL8 VTeacyZd8I1z0oy0N5JPGo=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=exUb4FOkAAdaK3Ec6lKY Nk8XBT4=; b=XjutSHg/c/Ehys/NlzpMKEolPdwJWOn7IFqYNzXh4lWNf8HTjBUg Daw0SYQT4xn+DrDhkrRHTQb3ZVYBB2Re2Jy7lhf/3FaK3CkGeeaUkoWBgKw8xAKy HCUA9OxMtydSkI2m0kJs6mXgMIUm/5Aviz8MNjP7zoM6h2YoXTXNZ9o=
Received: from mail-pz0-f47.google.com (mail-pz0-f47.google.com [209.85.210.47]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a71.g.dreamhost.com (Postfix) with ESMTPSA id 36D6C428072 for <ietf-krb-wg@lists.anl.gov>; Tue, 5 Jul 2011 13:34:37 -0700 (PDT)
Received: by pzk36 with SMTP id 36so4075780pzk.20 for <ietf-krb-wg@lists.anl.gov>; Tue, 05 Jul 2011 13:34:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.44.103 with SMTP id d7mr9263522pbm.119.1309898076838; Tue, 05 Jul 2011 13:34:36 -0700 (PDT)
Received: by 10.68.50.231 with HTTP; Tue, 5 Jul 2011 13:34:36 -0700 (PDT)
In-Reply-To: <CA265779.21018%josh.howlett@ja.net>
References: <AQHMMAyG4NotbIg08EaueELzIpiRbg==> <CA265779.21018%josh.howlett@ja.net>
Date: Tue, 05 Jul 2011 15:34:36 -0500
Message-ID: <CAK3OfOiTb5_Q3aU466SKZ5hW+eY9+3m2jBqxDVt+-m8Ddy1pBQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Josh Howlett <Josh.Howlett@ja.net>
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: "ietf-krb-wg@lists.anl.gov" <ietf-krb-wg@lists.anl.gov>
Subject: Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-general-pac-02
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov
On Tue, Jun 21, 2011 at 7:12 AM, Josh Howlett <Josh.Howlett@ja.net> wrote: > I took an action at the Prague meeting to review this document. > > 0. Attribute definition > > The document defines a set of attributes, and outlines an extensibility > mechanism for incorporating other attributes. While the semantics > associated with the attributes defined in section 4 seem entirely > reasonable, I am curious why the authors chose to define a > document-specific attribute schema rather than adopt the semantics from > existing attribute schema (e.g. RFC 2307) where equivalent semantics may > have already been defined. I think it's because RFC2307's attributes are not necessarily what we want to use in raw form. For example, in the PAD we want names and IDs, but RFC2307 doesn't give us a single name+ID attribute, thus to use RFC2307 we might have to actually store... what? ASN.1 encoded LDAP responses to searches? That's not a terrible idea, but it does strike me as very odd; we should think about it, even if only to dismiss it. One nice thing about including verbatim LDAP searches and responses is that the system would be inherently extensible. But the result would be rather verbose! > 1. Encoding I don't care that much about encoding. I'd prefer an encoding that produces small size over all other considerations because ticket size is an important consideration here. I like ASN.1 (though I dislike DER), and in particular I like Heimdal's ASN.1 compiler, which makes it easier to handle new ASN.1 modules. > 2. Attribute semantics > > The use-case that motivates the document is authorisation in cross-realm > scenarios. The document notes that there are some challenges with some of > the proposed authorisation semantics in cross-realm scenario (e.g. > identifier collisions), and that local manipulation of incoming attribute > values may be necessary. > > In contemporary federated deployments, it is common to manage this > manipulation explicitly by passing 'entitlement' values rather than > explicit authorisations: the privileges associated with an entitlement are > derived locally. That's pretty much with Simo's proposal does: it's the end node's responsibility (or the last hop realm's) to map remote authorization data to local authorization data. I would like additional authorization data elements besides UID and GIDs. I'm thinking of: netgroups, labels (think Smack, MLS, ...), and privileges. See http://tools.ietf.org/html/draft-ietf-nfsv4-rpcsec-gssv3-00 for more information. > I encourage the authors to consider the potential of attributes with > entitlement semantics, and also entitlement values that may have general > applicability. +1, though I think we'll need specific examples in order to get the discussion going. Nico -- _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] Review of draft-sorce-krbwg-general… Josh Howlett
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Simo Sorce
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Josh Howlett
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Cantor, Scott E.
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Henry B. Hotz
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Martin Rex
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Cantor, Scott E.
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Sam Hartman
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Simo Sorce
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Sam Hartman
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Simo Sorce
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Nico Williams
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Nico Williams
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Nico Williams
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Cantor, Scott E.
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Nico Williams
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Cantor, Scott E.
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Nico Williams
- Re: [Ietf-krb-wg] Review of draft-sorce-krbwg-gen… Cantor, Scott E.