Re: [Ietf-krb-wg] 6.5.5. Outer and Inner Requests - PA-FX-COOKIE
Sam Hartman <hartmans-ietf@mit.edu> Fri, 17 April 2009 07:51 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E157D3A687A for <ietfarch-krb-wg-archive@core3.amsl.com>; Fri, 17 Apr 2009 00:51:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.459
X-Spam-Level:
X-Spam-Status: No, score=-2.459 tagged_above=-999 required=5 tests=[AWL=0.140, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L6jLTSrcskRn for <ietfarch-krb-wg-archive@core3.amsl.com>; Fri, 17 Apr 2009 00:51:16 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id CE4673A6809 for <krb-wg-archive@lists.ietf.org>; Fri, 17 Apr 2009 00:51:16 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 64A703A; Fri, 17 Apr 2009 02:52:30 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id F23993C; Fri, 17 Apr 2009 02:52:27 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 088EA80DFE; Fri, 17 Apr 2009 02:52:27 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 7537480DFD for <ietf-krb-wg@lists.anl.gov>; Fri, 17 Apr 2009 02:52:25 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix) id 663C22C; Fri, 17 Apr 2009 02:52:25 -0500 (CDT)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 615DE31 for <ietf-krb-wg@anl.gov>; Fri, 17 Apr 2009 02:52:25 -0500 (CDT)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 5A4342C for <ietf-krb-wg@anl.gov>; Fri, 17 Apr 2009 02:52:25 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 3BED67CC075; Fri, 17 Apr 2009 02:52:25 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17816-02; Fri, 17 Apr 2009 02:52:25 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay2.anl.gov (Postfix) with ESMTP id 1CB947CC067 for <ietf-krb-wg@anl.gov>; Fri, 17 Apr 2009 02:52:25 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAEvS50lFGcSy/2dsb2JhbAC/eocsiE2DfQY
X-IronPort-AV: E=Sophos;i="4.40,203,1238994000"; d="scan'208";a="26082876"
Received: from carter-zimmerman.suchdamage.org ([69.25.196.178]) by mailgateway.anl.gov with ESMTP; 17 Apr 2009 02:52:24 -0500
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id F3C95415A; Fri, 17 Apr 2009 03:52:23 -0400 (EDT)
To: Srinivas Cheruku <srinivas.cheruku@gmail.com>
References: <AB1E5627D2489D45BD01B84BD5B9004615008233F9@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <49e41c82.0c92100a.6579.7896@mx.google.com> <tslfxgb6vih.fsf@mit.edu> <49e5c014.1ebc720a.41f9.ffffd589@mx.google.com> <tslprfe5biy.fsf@mit.edu> <49e822bf.0707d00a.6a66.ffffc7e6@mx.google.com>
From: Sam Hartman <hartmans-ietf@mit.edu>
Date: Fri, 17 Apr 2009 03:52:23 -0400
In-Reply-To: <49e822bf.0707d00a.6a66.ffffc7e6@mx.google.com> (Srinivas Cheruku's message of "Fri\, 17 Apr 2009 12\:03\:29 +0530")
Message-ID: <tslhc0nzphk.fsf@mit.edu>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: ietf-krb-wg@anl.gov, 'Sam Hartman' <hartmans-ietf@mit.edu>
Subject: Re: [Ietf-krb-wg] 6.5.5. Outer and Inner Requests - PA-FX-COOKIE
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
>>>>> "Srinivas" == Srinivas Cheruku <srinivas.cheruku@gmail.com> writes: Srinivas> Do you think it is better to include PA-FX-COOKIE inside Srinivas> PA-FX-FAST similar to other padata? e.g. outer request Srinivas> and AS response would contain only PA-FX-FAST and other Srinivas> padata including PA-FX-COOKIE inside PA-FX-FAST. This Srinivas> would mean that PA-FX-COOKIE would also be secured Srinivas> similar to other padata. Yes. The cookie was outside because you needed the cookie to be outside in order to calculate the finish checksum without some very complicated compression functions. However, now that we've removed the finish checksum, the cookie needs to move inside. Here's my draft text from 6.5.5 in draft 11. We'll be posting draft 11 in a couple of days after Larry finishes his edits. <section title="Outer and Inner Requests"> <t>Typically, a client will know that FAST is being used before a request containing PA-FX-FAST is sent. So, the outer AS request typically only includes one pa-data item: PA-FX-FAST. The client MAY include additional pa-data, but the KDC MUST ignore the outer request body and any padata besides PA-FX-FAST if PA-FX-FAST is processed. In the case of the TGS request, the outer request should include PA-FX-FAST and PA-TGS-REQ.</t> <t>When an AS generates a response, all padata besides PA-FX-FAST should be included in PA-FX-FAST. The client MUST ignore other padata outside of PA-FX-FAST.</t> _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] proposal for encrypted pa data Larry Zhu
- Re: [Ietf-krb-wg] proposal for encrypted pa data Greg Hudson
- Re: [Ietf-krb-wg] proposal for encrypted pa data Greg Hudson
- Re: [Ietf-krb-wg] proposal for encrypted pa data Srinivas Cheruku
- Re: [Ietf-krb-wg] proposal for encrypted pa data Greg Hudson
- Re: [Ietf-krb-wg] proposal for encrypted pa data Sam Hartman
- Re: [Ietf-krb-wg] proposal for encrypted pa data Srinivas Cheruku
- [Ietf-krb-wg] Cookie Srinivas Cheruku
- Re: [Ietf-krb-wg] Cookie Sam Hartman
- [Ietf-krb-wg] 6.5.5. Outer and Inner Requests - P… Srinivas Cheruku
- Re: [Ietf-krb-wg] 6.5.5. Outer and Inner Requests… Sam Hartman