IETF Logo Mail Archive

Re: [Ietf-krb-wg] Comments on adopting draft-sorce-krbwg-general-pad as a work item

Simo Sorce <simo@redhat.com> Sun, 17 July 2011 23:11 UTC

Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C41E21F8520 for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Sun, 17 Jul 2011 16:11:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.249
X-Spam-Level:
X-Spam-Status: No, score=-106.249 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NlFaojiovVnG for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Sun, 17 Jul 2011 16:11:30 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 3AE7F21F850E for <krb-wg-archive@lists.ietf.org>; Sun, 17 Jul 2011 16:11:30 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id C9D8455; Sun, 17 Jul 2011 18:11:29 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 69F024C; Sun, 17 Jul 2011 18:11:29 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id B419080E91; Sun, 17 Jul 2011 18:11:28 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id A4D1B80035 for <ietf-krb-wg@lists.anl.gov>; Sun, 17 Jul 2011 18:11:26 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 84FB27CC05D; Sun, 17 Jul 2011 18:11:26 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08970-05; Sun, 17 Jul 2011 18:11:26 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 5585B7CC05C for <ietf-krb-wg@lists.anl.gov>; Sun, 17 Jul 2011 18:11:26 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqUBAJ5rI07RhLcckWdsb2JhbABRhEmjKRQBAQEBCQsLBxQGH4h8sX6PaoErhAKBDwSXZ4tw
X-IronPort-AV: E=Sophos;i="4.67,218,1309755600"; d="scan'208";a="63605815"
Received: from mx1.redhat.com ([209.132.183.28]) by mailgateway.anl.gov with ESMTP; 17 Jul 2011 18:11:24 -0500
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p6HNBN8q013142 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 17 Jul 2011 19:11:24 -0400
Received: from [10.3.113.32] (ovpn-113-32.phx2.redhat.com [10.3.113.32]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p6HNBM49008475; Sun, 17 Jul 2011 19:11:23 -0400
From: Simo Sorce <simo@redhat.com>
To: Shawn Emery <shawn.emery@oracle.com>
In-Reply-To: <4E1A96F6.6020308@oracle.com>
References: <tslr56cohgy.fsf@mit.edu> <4E194EE2.7090502@oracle.com> <1310304454.8182.122.camel@willson.li.ssimo.org> <4E1A96F6.6020308@oracle.com>
Organization: Red Hat, Inc.
Date: Sun, 17 Jul 2011 19:11:22 -0400
Message-ID: <1310944282.23822.61.camel@willson.li.ssimo.org>
Mime-Version: 1.0
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: ietf-krb-wg@lists.anl.gov
Subject: Re: [Ietf-krb-wg] Comments on adopting draft-sorce-krbwg-general-pad as a work item
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov

On Mon, 2011-07-11 at 00:23 -0600, Shawn Emery wrote:
> On 07/10/11 07:27 AM, Simo Sorce wrote:
> > On Sun, 2011-07-10 at 01:04 -0600, Shawn Emery wrote:
> >> On 06/29/11 08:11 AM, Sam Hartman wrote:
> >>> The chairs would like to solicit comments on whether the PAD draft is
> >>> ready for us to adopt as a working group draft.
> >>> Please send comments by July 10.
> >> Sorry for the late reply...
> >>
> >> General:
> >>
> >> It would be nice to standardize the interface (C bindings) or provide
> >> examples for accessing PAC data through standards track interfaces.
> >>
> >> There have been implementations of non-standardized interfaces, such
> >> as gss_inquire_sec_context_by_oid.  It would be out of scope for this
> >> draft to cover a GSS-API like this, but should be considered as a
> >> complimentary draft.
> >>
> >> 4.4 PAD-DNS-Domain
> >>
> >>      Couldn't you also have multiple domains map to a single realm?
> > This refers to the main domain name in use, others can be available but
> > they are not relevant for user authorization data.
> >
> >> 4.6. PAD-Domain-UUID
> >>
> >>      uuid_t is 128 bits, shouldn't this be in alignment with uuid*
> >> functions?
> >>      Providing a reference on how the Domain-UUID is constructed would
> >> be helpful.
> > This is vague as we want to allow easy mapping of Windows Domain SIDs
> > into this field for interop purposes. So this is literally just a Unique
> > Identifier, I can change the name if it is felt that using UUID is
> > confusing.
> 
> Yes, this would be helpful.

Ok, what about PAD-UDID (Unique Domain ID) ?

> >> 4.7. PAD-Posix-Username
> >>
> >>      In general it would be nice to have at least a non-normative
> >> reference for the Posix attributes.
> > I have been asked to refer to RFC 2307 for attributes. I will go thorugh
> > RFC 2307 before the next draft and verify if the definitions there are
> > adequate (For example I do not want to force these names to be case
> > sensitive although implementations are free to treat them in a case
> > sensitive way if they really, really want to.
> 
> Is there is a reference that could be used that is not experimental?

I looked into the POSIX.1-2008 standard* next to see if these attributes
are defined well enough to use it as a normative reference.
It looks like they are very loosely defined in there.


* IEEE Std 1003.1-2008 / The Open Group bBase Specifications Issue 7

> >> 4.14. PAD-AlternateNames
> >>
> >>      Why can't this be more generic for any naming attribute that
> >> applications can use?
> > I am not sure I understand the objection, can you make an example of
> > what you'd like to use this attribute for ?
> 
> Refer to draft-ietf-kitten-gssapi-naming-exts::6. Representation of 
> Attribute Names.

Uhmm you defined some characters as special in that document (space and
':'), but I don;t see any discussion about escaping in case those
characters are part of the actual names as opposed to be just
separators. ANy reason why this is not a problem in that document ?

> >> 5.1. PAD Format
> >>
> >>      Which Host Service Key are you referring to here?:
> > host/fqdn@REALM
> 
> This should be defined or referenced.

OK.

> >>     o  Optional Host Service Key Signature (for use by trusted services
> >>        on a host)
> >>
> >>      What about typed holes for future extensions?
> > Perhaps, but I am not sure we want to make this field too extensible, it
> > makes creating interoperable implementations harder if not done right.
> 
> We should do it right then.
> 
> >> 6.1 SignedPricipalAuthorizationData
> >>
> >>      Why is the following a SHOULD?:
> >>
> >>      Unless otherwise
> >>         explicitly administratively configured, the key SHOULD be found
> >>         by substituting the service name component of the principal
> >> name
> >>         of the service with 'host'.
> >>
> >>      As services should try to avoid using shared keys such as this.
> > This is not a shared key, this is useful exactly in the opposite case
> > where the service key differs from the host key and you cannot trust a
> > PAD signed by a service key as host. I would make it a MUST if I didn't
> > already spot cases where an implementation might need to use a different
> > trusted key (thinking about clusters here).
> > Keep in mind that this signature is optional, so you can omit it
> > completely, but if you want to use it you SHOULD provide a signature
> > based on the host key so that a host trusted service can verify the PAD
> > independently from the less trusted service receiving and forwarding it.
> > In environment where host and service keys are the same (like in AD)
> > this field is useless as it adds no security, so you should just omit
> > it.
> 
> I think this should be clarified in the draft.

OK

> >> 6.2 GSS-API Authenticator Extension
> >>
> >>      Refer to draft-ietf-krb-wg-gss-cb-hash-agility on extension
> >> formats.
> > I'll take a note.
> 
> Thanks,

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

v2.23.0 | Report a Bug | By Email