Re: [Ietf-krb-wg] Comments on adopting draft-sorce-krbwg-general-pad as a work item
Simo Sorce <simo@redhat.com> Sun, 17 July 2011 23:11 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C41E21F8520 for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Sun, 17 Jul 2011 16:11:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.249
X-Spam-Level:
X-Spam-Status: No, score=-106.249 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NlFaojiovVnG for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Sun, 17 Jul 2011 16:11:30 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 3AE7F21F850E for <krb-wg-archive@lists.ietf.org>; Sun, 17 Jul 2011 16:11:30 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id C9D8455; Sun, 17 Jul 2011 18:11:29 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 69F024C; Sun, 17 Jul 2011 18:11:29 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id B419080E91; Sun, 17 Jul 2011 18:11:28 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id A4D1B80035 for <ietf-krb-wg@lists.anl.gov>; Sun, 17 Jul 2011 18:11:26 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 84FB27CC05D; Sun, 17 Jul 2011 18:11:26 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08970-05; Sun, 17 Jul 2011 18:11:26 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 5585B7CC05C for <ietf-krb-wg@lists.anl.gov>; Sun, 17 Jul 2011 18:11:26 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqUBAJ5rI07RhLcckWdsb2JhbABRhEmjKRQBAQEBCQsLBxQGH4h8sX6PaoErhAKBDwSXZ4tw
X-IronPort-AV: E=Sophos;i="4.67,218,1309755600"; d="scan'208";a="63605815"
Received: from mx1.redhat.com ([209.132.183.28]) by mailgateway.anl.gov with ESMTP; 17 Jul 2011 18:11:24 -0500
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p6HNBN8q013142 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 17 Jul 2011 19:11:24 -0400
Received: from [10.3.113.32] (ovpn-113-32.phx2.redhat.com [10.3.113.32]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p6HNBM49008475; Sun, 17 Jul 2011 19:11:23 -0400
From: Simo Sorce <simo@redhat.com>
To: Shawn Emery <shawn.emery@oracle.com>
In-Reply-To: <4E1A96F6.6020308@oracle.com>
References: <tslr56cohgy.fsf@mit.edu> <4E194EE2.7090502@oracle.com> <1310304454.8182.122.camel@willson.li.ssimo.org> <4E1A96F6.6020308@oracle.com>
Organization: Red Hat, Inc.
Date: Sun, 17 Jul 2011 19:11:22 -0400
Message-ID: <1310944282.23822.61.camel@willson.li.ssimo.org>
Mime-Version: 1.0
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: ietf-krb-wg@lists.anl.gov
Subject: Re: [Ietf-krb-wg] Comments on adopting draft-sorce-krbwg-general-pad as a work item
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov
On Mon, 2011-07-11 at 00:23 -0600, Shawn Emery wrote: > On 07/10/11 07:27 AM, Simo Sorce wrote: > > On Sun, 2011-07-10 at 01:04 -0600, Shawn Emery wrote: > >> On 06/29/11 08:11 AM, Sam Hartman wrote: > >>> The chairs would like to solicit comments on whether the PAD draft is > >>> ready for us to adopt as a working group draft. > >>> Please send comments by July 10. > >> Sorry for the late reply... > >> > >> General: > >> > >> It would be nice to standardize the interface (C bindings) or provide > >> examples for accessing PAC data through standards track interfaces. > >> > >> There have been implementations of non-standardized interfaces, such > >> as gss_inquire_sec_context_by_oid. It would be out of scope for this > >> draft to cover a GSS-API like this, but should be considered as a > >> complimentary draft. > >> > >> 4.4 PAD-DNS-Domain > >> > >> Couldn't you also have multiple domains map to a single realm? > > This refers to the main domain name in use, others can be available but > > they are not relevant for user authorization data. > > > >> 4.6. PAD-Domain-UUID > >> > >> uuid_t is 128 bits, shouldn't this be in alignment with uuid* > >> functions? > >> Providing a reference on how the Domain-UUID is constructed would > >> be helpful. > > This is vague as we want to allow easy mapping of Windows Domain SIDs > > into this field for interop purposes. So this is literally just a Unique > > Identifier, I can change the name if it is felt that using UUID is > > confusing. > > Yes, this would be helpful. Ok, what about PAD-UDID (Unique Domain ID) ? > >> 4.7. PAD-Posix-Username > >> > >> In general it would be nice to have at least a non-normative > >> reference for the Posix attributes. > > I have been asked to refer to RFC 2307 for attributes. I will go thorugh > > RFC 2307 before the next draft and verify if the definitions there are > > adequate (For example I do not want to force these names to be case > > sensitive although implementations are free to treat them in a case > > sensitive way if they really, really want to. > > Is there is a reference that could be used that is not experimental? I looked into the POSIX.1-2008 standard* next to see if these attributes are defined well enough to use it as a normative reference. It looks like they are very loosely defined in there. * IEEE Std 1003.1-2008 / The Open Group bBase Specifications Issue 7 > >> 4.14. PAD-AlternateNames > >> > >> Why can't this be more generic for any naming attribute that > >> applications can use? > > I am not sure I understand the objection, can you make an example of > > what you'd like to use this attribute for ? > > Refer to draft-ietf-kitten-gssapi-naming-exts::6. Representation of > Attribute Names. Uhmm you defined some characters as special in that document (space and ':'), but I don;t see any discussion about escaping in case those characters are part of the actual names as opposed to be just separators. ANy reason why this is not a problem in that document ? > >> 5.1. PAD Format > >> > >> Which Host Service Key are you referring to here?: > > host/fqdn@REALM > > This should be defined or referenced. OK. > >> o Optional Host Service Key Signature (for use by trusted services > >> on a host) > >> > >> What about typed holes for future extensions? > > Perhaps, but I am not sure we want to make this field too extensible, it > > makes creating interoperable implementations harder if not done right. > > We should do it right then. > > >> 6.1 SignedPricipalAuthorizationData > >> > >> Why is the following a SHOULD?: > >> > >> Unless otherwise > >> explicitly administratively configured, the key SHOULD be found > >> by substituting the service name component of the principal > >> name > >> of the service with 'host'. > >> > >> As services should try to avoid using shared keys such as this. > > This is not a shared key, this is useful exactly in the opposite case > > where the service key differs from the host key and you cannot trust a > > PAD signed by a service key as host. I would make it a MUST if I didn't > > already spot cases where an implementation might need to use a different > > trusted key (thinking about clusters here). > > Keep in mind that this signature is optional, so you can omit it > > completely, but if you want to use it you SHOULD provide a signature > > based on the host key so that a host trusted service can verify the PAD > > independently from the less trusted service receiving and forwarding it. > > In environment where host and service keys are the same (like in AD) > > this field is useless as it adds no security, so you should just omit > > it. > > I think this should be clarified in the draft. OK > >> 6.2 GSS-API Authenticator Extension > >> > >> Refer to draft-ietf-krb-wg-gss-cb-hash-agility on extension > >> formats. > > I'll take a note. > > Thanks, -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] Comments on adopting draft-sorce-kr… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Josh Howlett
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Luke Howard
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting Martin Rex
- Re: [Ietf-krb-wg] Comments on adopting Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting Martin Rex
- Re: [Ietf-krb-wg] Comments on adopting Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting Greg Hudson
- Re: [Ietf-krb-wg] Comments on adopting Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Luke Howard
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Luke Howard
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- [Ietf-krb-wg] Experimental status of RFC 2307 Sam Hartman
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Leif Johansson
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Howard Chu
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Sam Hartman
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Howard Chu
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Luke Howard
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Sam Hartman
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Leif Johansson
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Jeffrey Hutzelman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Jeffrey Hutzelman