IETF Logo Mail Archive

Re: [Ietf-krb-wg] Comments on adopting draft-sorce-krbwg-general-pad as a work item

Shawn Emery <shawn.emery@oracle.com> Mon, 11 July 2011 06:24 UTC

Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC2F121F853E for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Sun, 10 Jul 2011 23:24:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.915
X-Spam-Level:
X-Spam-Status: No, score=-4.915 tagged_above=-999 required=5 tests=[AWL=1.684, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oCw5GSQOVJ-5 for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Sun, 10 Jul 2011 23:24:20 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id AFCBC21F88D5 for <krb-wg-archive@lists.ietf.org>; Sun, 10 Jul 2011 23:24:20 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 91A0D60; Mon, 11 Jul 2011 01:24:19 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 4F3D659; Mon, 11 Jul 2011 01:24:18 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 896482CC104; Mon, 11 Jul 2011 01:24:17 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 8229080E9C for <ietf-krb-wg@lists.anl.gov>; Mon, 11 Jul 2011 01:24:15 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 6ABEB7CC05E; Mon, 11 Jul 2011 01:24:15 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16388-01; Mon, 11 Jul 2011 01:24:15 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id D63CB7CC060 for <ietf-krb-wg@lists.anl.gov>; Mon, 11 Jul 2011 01:24:14 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvMAANyWGk6UV3F1mWdsb2JhbABThESiehQBAQEBAQgLCwcUJYh6Aq4YkCiBK4QAgQ8Eh06LBoR+i2g
X-IronPort-AV: E=Sophos;i="4.65,513,1304312400"; d="scan'208";a="63267729"
Received: from rcsinet15.oracle.com ([148.87.113.117]) by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Jul 2011 01:24:08 -0500
Received: from rtcsinet22.oracle.com (rtcsinet22.oracle.com [66.248.204.30]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p6B6O5Zq025856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <ietf-krb-wg@lists.anl.gov>; Mon, 11 Jul 2011 06:24:07 GMT
Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by rtcsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p6B6O4tP006003 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-krb-wg@lists.anl.gov>; Mon, 11 Jul 2011 06:24:05 GMT
Received: from abhmt114.oracle.com (abhmt114.oracle.com [141.146.116.66]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p6B6Nxbt015022 for <ietf-krb-wg@lists.anl.gov>; Mon, 11 Jul 2011 01:23:59 -0500
Received: from [10.7.250.160] (/10.7.250.160) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 10 Jul 2011 23:23:59 -0700
Message-ID: <4E1A96F6.6020308@oracle.com>
Date: Mon, 11 Jul 2011 00:23:50 -0600
From: Shawn Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.9.2.17) Gecko/20110609 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: ietf-krb-wg@lists.anl.gov
References: <tslr56cohgy.fsf@mit.edu> <4E194EE2.7090502@oracle.com> <1310304454.8182.122.camel@willson.li.ssimo.org>
In-Reply-To: <1310304454.8182.122.camel@willson.li.ssimo.org>
X-Source-IP: rtcsinet22.oracle.com [66.248.204.30]
X-CT-RefId: str=0001.0A090207.4E1A9707.00BF:SCFSTAT5015188, ss=1, re=-4.000, fgs=0
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: Re: [Ietf-krb-wg] Comments on adopting draft-sorce-krbwg-general-pad as a work item
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov

On 07/10/11 07:27 AM, Simo Sorce wrote:
> On Sun, 2011-07-10 at 01:04 -0600, Shawn Emery wrote:
>> On 06/29/11 08:11 AM, Sam Hartman wrote:
>>> The chairs would like to solicit comments on whether the PAD draft is
>>> ready for us to adopt as a working group draft.
>>> Please send comments by July 10.
>> Sorry for the late reply...
>>
>> General:
>>
>> It would be nice to standardize the interface (C bindings) or provide
>> examples for accessing PAC data through standards track interfaces.
>>
>> There have been implementations of non-standardized interfaces, such
>> as gss_inquire_sec_context_by_oid.  It would be out of scope for this
>> draft to cover a GSS-API like this, but should be considered as a
>> complimentary draft.
>>
>> 4.4 PAD-DNS-Domain
>>
>>      Couldn't you also have multiple domains map to a single realm?
> This refers to the main domain name in use, others can be available but
> they are not relevant for user authorization data.
>
>> 4.6. PAD-Domain-UUID
>>
>>      uuid_t is 128 bits, shouldn't this be in alignment with uuid*
>> functions?
>>      Providing a reference on how the Domain-UUID is constructed would
>> be helpful.
> This is vague as we want to allow easy mapping of Windows Domain SIDs
> into this field for interop purposes. So this is literally just a Unique
> Identifier, I can change the name if it is felt that using UUID is
> confusing.

Yes, this would be helpful.

>> 4.7. PAD-Posix-Username
>>
>>      In general it would be nice to have at least a non-normative
>> reference for the Posix attributes.
> I have been asked to refer to RFC 2307 for attributes. I will go thorugh
> RFC 2307 before the next draft and verify if the definitions there are
> adequate (For example I do not want to force these names to be case
> sensitive although implementations are free to treat them in a case
> sensitive way if they really, really want to.

Is there is a reference that could be used that is not experimental?

>> 4.14. PAD-AlternateNames
>>
>>      Why can't this be more generic for any naming attribute that
>> applications can use?
> I am not sure I understand the objection, can you make an example of
> what you'd like to use this attribute for ?

Refer to draft-ietf-kitten-gssapi-naming-exts::6. Representation of 
Attribute Names.

>> 5.1. PAD Format
>>
>>      Which Host Service Key are you referring to here?:
> host/fqdn@REALM

This should be defined or referenced.

>>     o  Optional Host Service Key Signature (for use by trusted services
>>        on a host)
>>
>>      What about typed holes for future extensions?
> Perhaps, but I am not sure we want to make this field too extensible, it
> makes creating interoperable implementations harder if not done right.

We should do it right then.

>> 6.1 SignedPricipalAuthorizationData
>>
>>      Why is the following a SHOULD?:
>>
>>      Unless otherwise
>>         explicitly administratively configured, the key SHOULD be found
>>         by substituting the service name component of the principal
>> name
>>         of the service with 'host'.
>>
>>      As services should try to avoid using shared keys such as this.
> This is not a shared key, this is useful exactly in the opposite case
> where the service key differs from the host key and you cannot trust a
> PAD signed by a service key as host. I would make it a MUST if I didn't
> already spot cases where an implementation might need to use a different
> trusted key (thinking about clusters here).
> Keep in mind that this signature is optional, so you can omit it
> completely, but if you want to use it you SHOULD provide a signature
> based on the host key so that a host trusted service can verify the PAD
> independently from the less trusted service receiving and forwarding it.
> In environment where host and service keys are the same (like in AD)
> this field is useless as it adds no security, so you should just omit
> it.

I think this should be clarified in the draft.

>> 6.2 GSS-API Authenticator Extension
>>
>>      Refer to draft-ietf-krb-wg-gss-cb-hash-agility on extension
>> formats.
> I'll take a note.

Thanks,

Shawn.
--
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

v2.23.0 | Report a Bug | By Email