[Ietf-krb-wg] Document Action: 'Using Kerberos V5 over the Transport Layer Security (TLS) protocol' to Informational RFC (draft-josefsson-kerberos5-starttls-09.txt)
The IESG <iesg-secretary@ietf.org> Tue, 08 March 2011 14:33 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F3493A68F7 for <ietfarch-krb-wg-archive@core3.amsl.com>; Tue, 8 Mar 2011 06:33:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.599
X-Spam-Level:
X-Spam-Status: No, score=-104.599 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3AveS6Ac5cG0 for <ietfarch-krb-wg-archive@core3.amsl.com>; Tue, 8 Mar 2011 06:33:03 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id 3E2F73A6859 for <krb-wg-archive@lists.ietf.org>; Tue, 8 Mar 2011 06:33:03 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 127A612; Tue, 8 Mar 2011 08:34:18 -0600 (CST)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id BC6EE41; Tue, 8 Mar 2011 08:34:14 -0600 (CST)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 8D5B580E93; Tue, 8 Mar 2011 08:34:14 -0600 (CST)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 74BD380E8C for <ietf-krb-wg@lists.anl.gov>; Tue, 8 Mar 2011 08:34:12 -0600 (CST)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 5094E7CC064; Tue, 8 Mar 2011 08:34:12 -0600 (CST)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04010-10; Tue, 8 Mar 2011 08:34:12 -0600 (CST)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 201267CC05F for <ietf-krb-wg@lists.anl.gov>; Tue, 8 Mar 2011 08:34:12 -0600 (CST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AlEAAK7MdU1AqmIgi2dsb2JhbACYUAGNbxUBAQEKCwoHDwcgvySFYwSFHYpc
X-IronPort-AV: E=Sophos;i="4.62,284,1297058400"; d="scan'208";a="56492978"
Received: from mail.ietf.org ([64.170.98.32]) by mailgateway.anl.gov with ESMTP; 08 Mar 2011 08:34:11 -0600
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C519C3A68CB; Tue, 8 Mar 2011 06:32:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sq1wmPOk3Tos; Tue, 8 Mar 2011 06:32:54 -0800 (PST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 43ECB3A67BD; Tue, 8 Mar 2011 06:32:54 -0800 (PST)
MIME-Version: 1.0
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 3.12
Message-ID: <20110308143254.26408.75461.idtracker@localhost>
Date: Tue, 08 Mar 2011 06:32:54 -0800
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: krb-wg mailing list <ietf-krb-wg@lists.anl.gov>, Internet Architecture Board <iab@iab.org>, krb-wg chair <krb-wg-chairs@tools.ietf.org>, RFC Editor <rfc-editor@rfc-editor.org>
Subject: [Ietf-krb-wg] Document Action: 'Using Kerberos V5 over the Transport Layer Security (TLS) protocol' to Informational RFC (draft-josefsson-kerberos5-starttls-09.txt)
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov
The IESG has approved the following document: - 'Using Kerberos V5 over the Transport Layer Security (TLS) protocol' (draft-josefsson-kerberos5-starttls-09.txt) as an Informational RFC This document is the product of the Kerberos Working Group. The IESG contact persons are Tim Polk and Sean Turner. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-josefsson-kerberos5-starttls/ Technical Summary This document specify how the Kerberos V5 protocol can be transported over the Transport Layer Security (TLS) protocol, to provide additional security features. Working Group Summary This technical specification represents the consensus of the Kerberos Working Group. However, the working group is also working on an alternate solution to an overlapping problem. It is not yet clear whether either or both specifications will win in the marketplace or whether either will become mandatory in a future version of the base Kerberos specification. However, we feel it is important to publish these specifications to gain implemention and deployment experience. Therefore, we are requesting publication of this document as an Informational RFC, and may request that it be upgraded to Proposed Standard at a later time. Document Quality At least one implementor has indicated an intention to support the extension described in this document. Personnel The Document Shepherd for this document is Jeffrey Hutzelman. The responsible Area Director is Tim Polk. RFC Editor Note In Section 4, change: OLD: Section 7.2.3 of Kerberos V5 [RFC4120] describe how Domain Name System (DNS) SRV records [RFC2782] can be used to find the address of an KDC. We define a new Proto of "tls" to indicate that the particular KDC is intended to support this STARTTLS extension. The Service, Realm, TTL, Class, SRV, Priority, Weight, Port and Target have the same meaning as in RFC 4120. For example: _kerberos._tls.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. _kerberos._tls.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. NEW: Section 7.2.3 of Kerberos V5 [RFC4120] describe how Domain Name System (DNS) SRV records [RFC2782] can be used to find the address of an KDC. We define a new Service of "kerberos-tls" to indicate that the particular KDC is intended to support this STARTTLS extension. The Proto (tcp), Realm, TTL, Class, SRV, Priority, Weight, Port and Target have the same meaning as in RFC 4120. For example: _kerberos-tls._tcp.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. _kerberos-tls._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. In Section 5, please make the following substitution: OLD The Kerberos V5 STARTTLS protocol do not require clients to verify the server certificate. The goal is that support for TLS in Kerberos V5 clients should be as easy to implement and deploy as support for UDP/TCP. Use of TLS, even without server certificate validation, protects against some attacks that Kerberos V5 over UDP/TCP do not. (For example, passive network sniffing between the user and the KDC to track which Kerberos services are used by the user.) To require server certificates to be validated at all times would lead to disabling of TLS when clients are unable to validate server certificates, and this may have worse security properties than using TLS and not validate the server certificate would have. Many client environments do not have secure long-term storage, which is required to validate certificates. This makes it impossible to use server certificate validation on a large number of client systems. NEW A goal for the protocol described in this memo is that it should be as easy to implement and deploy on clients as support for UDP/TCP. Since many client environments do not have secure long-term storage (and server certificate validation requires some form of long-term storage), the Kerberos V5 STARTTLS protocol does not require clients to verify server certificates. If server certification had been required, then environments with constrained clients such as those mentioned would be forced to disable TLS; this would arguably be worse than TLS without server certificate validation as use of TLS, even without server certificate validation, protects against some attacks that Kerberos V5 over UDP/TCP do not. For example, even without server certificate validation, TLS does protect against passive network sniffing aimed at tracking Kerberos service usage by a given client. Note however that use of TLS without server certificate verification opens up for a range of active attacks such as man-in-the-middle. In order to safely validate certificates, a client needs access to secure long-term storage. However, many client environments do not provide secure long-term storage (e.g., because the machine has been compromised). This makes it impossible to use server certificate validation on a large number of client systems. _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg