Re: [Ietf-krb-wg] Comments on adopting draft-sorce-krbwg-general-pad as a work item
Shawn Emery <shawn.emery@oracle.com> Mon, 11 July 2011 06:24 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC2F121F853E for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Sun, 10 Jul 2011 23:24:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.915
X-Spam-Level:
X-Spam-Status: No, score=-4.915 tagged_above=-999 required=5 tests=[AWL=1.684, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oCw5GSQOVJ-5 for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Sun, 10 Jul 2011 23:24:20 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id AFCBC21F88D5 for <krb-wg-archive@lists.ietf.org>; Sun, 10 Jul 2011 23:24:20 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 91A0D60; Mon, 11 Jul 2011 01:24:19 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 4F3D659; Mon, 11 Jul 2011 01:24:18 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 896482CC104; Mon, 11 Jul 2011 01:24:17 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 8229080E9C for <ietf-krb-wg@lists.anl.gov>; Mon, 11 Jul 2011 01:24:15 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 6ABEB7CC05E; Mon, 11 Jul 2011 01:24:15 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16388-01; Mon, 11 Jul 2011 01:24:15 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id D63CB7CC060 for <ietf-krb-wg@lists.anl.gov>; Mon, 11 Jul 2011 01:24:14 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvMAANyWGk6UV3F1mWdsb2JhbABThESiehQBAQEBAQgLCwcUJYh6Aq4YkCiBK4QAgQ8Eh06LBoR+i2g
X-IronPort-AV: E=Sophos;i="4.65,513,1304312400"; d="scan'208";a="63267729"
Received: from rcsinet15.oracle.com ([148.87.113.117]) by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Jul 2011 01:24:08 -0500
Received: from rtcsinet22.oracle.com (rtcsinet22.oracle.com [66.248.204.30]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p6B6O5Zq025856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <ietf-krb-wg@lists.anl.gov>; Mon, 11 Jul 2011 06:24:07 GMT
Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by rtcsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p6B6O4tP006003 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-krb-wg@lists.anl.gov>; Mon, 11 Jul 2011 06:24:05 GMT
Received: from abhmt114.oracle.com (abhmt114.oracle.com [141.146.116.66]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p6B6Nxbt015022 for <ietf-krb-wg@lists.anl.gov>; Mon, 11 Jul 2011 01:23:59 -0500
Received: from [10.7.250.160] (/10.7.250.160) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 10 Jul 2011 23:23:59 -0700
Message-ID: <4E1A96F6.6020308@oracle.com>
Date: Mon, 11 Jul 2011 00:23:50 -0600
From: Shawn Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.9.2.17) Gecko/20110609 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: ietf-krb-wg@lists.anl.gov
References: <tslr56cohgy.fsf@mit.edu> <4E194EE2.7090502@oracle.com> <1310304454.8182.122.camel@willson.li.ssimo.org>
In-Reply-To: <1310304454.8182.122.camel@willson.li.ssimo.org>
X-Source-IP: rtcsinet22.oracle.com [66.248.204.30]
X-CT-RefId: str=0001.0A090207.4E1A9707.00BF:SCFSTAT5015188, ss=1, re=-4.000, fgs=0
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: Re: [Ietf-krb-wg] Comments on adopting draft-sorce-krbwg-general-pad as a work item
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov
On 07/10/11 07:27 AM, Simo Sorce wrote: > On Sun, 2011-07-10 at 01:04 -0600, Shawn Emery wrote: >> On 06/29/11 08:11 AM, Sam Hartman wrote: >>> The chairs would like to solicit comments on whether the PAD draft is >>> ready for us to adopt as a working group draft. >>> Please send comments by July 10. >> Sorry for the late reply... >> >> General: >> >> It would be nice to standardize the interface (C bindings) or provide >> examples for accessing PAC data through standards track interfaces. >> >> There have been implementations of non-standardized interfaces, such >> as gss_inquire_sec_context_by_oid. It would be out of scope for this >> draft to cover a GSS-API like this, but should be considered as a >> complimentary draft. >> >> 4.4 PAD-DNS-Domain >> >> Couldn't you also have multiple domains map to a single realm? > This refers to the main domain name in use, others can be available but > they are not relevant for user authorization data. > >> 4.6. PAD-Domain-UUID >> >> uuid_t is 128 bits, shouldn't this be in alignment with uuid* >> functions? >> Providing a reference on how the Domain-UUID is constructed would >> be helpful. > This is vague as we want to allow easy mapping of Windows Domain SIDs > into this field for interop purposes. So this is literally just a Unique > Identifier, I can change the name if it is felt that using UUID is > confusing. Yes, this would be helpful. >> 4.7. PAD-Posix-Username >> >> In general it would be nice to have at least a non-normative >> reference for the Posix attributes. > I have been asked to refer to RFC 2307 for attributes. I will go thorugh > RFC 2307 before the next draft and verify if the definitions there are > adequate (For example I do not want to force these names to be case > sensitive although implementations are free to treat them in a case > sensitive way if they really, really want to. Is there is a reference that could be used that is not experimental? >> 4.14. PAD-AlternateNames >> >> Why can't this be more generic for any naming attribute that >> applications can use? > I am not sure I understand the objection, can you make an example of > what you'd like to use this attribute for ? Refer to draft-ietf-kitten-gssapi-naming-exts::6. Representation of Attribute Names. >> 5.1. PAD Format >> >> Which Host Service Key are you referring to here?: > host/fqdn@REALM This should be defined or referenced. >> o Optional Host Service Key Signature (for use by trusted services >> on a host) >> >> What about typed holes for future extensions? > Perhaps, but I am not sure we want to make this field too extensible, it > makes creating interoperable implementations harder if not done right. We should do it right then. >> 6.1 SignedPricipalAuthorizationData >> >> Why is the following a SHOULD?: >> >> Unless otherwise >> explicitly administratively configured, the key SHOULD be found >> by substituting the service name component of the principal >> name >> of the service with 'host'. >> >> As services should try to avoid using shared keys such as this. > This is not a shared key, this is useful exactly in the opposite case > where the service key differs from the host key and you cannot trust a > PAD signed by a service key as host. I would make it a MUST if I didn't > already spot cases where an implementation might need to use a different > trusted key (thinking about clusters here). > Keep in mind that this signature is optional, so you can omit it > completely, but if you want to use it you SHOULD provide a signature > based on the host key so that a host trusted service can verify the PAD > independently from the less trusted service receiving and forwarding it. > In environment where host and service keys are the same (like in AD) > this field is useless as it adds no security, so you should just omit > it. I think this should be clarified in the draft. >> 6.2 GSS-API Authenticator Extension >> >> Refer to draft-ietf-krb-wg-gss-cb-hash-agility on extension >> formats. > I'll take a note. Thanks, Shawn. -- _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] Comments on adopting draft-sorce-kr… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Josh Howlett
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Luke Howard
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting Martin Rex
- Re: [Ietf-krb-wg] Comments on adopting Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting Martin Rex
- Re: [Ietf-krb-wg] Comments on adopting Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting Greg Hudson
- Re: [Ietf-krb-wg] Comments on adopting Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Luke Howard
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Luke Howard
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- [Ietf-krb-wg] Experimental status of RFC 2307 Sam Hartman
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Leif Johansson
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Howard Chu
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Sam Hartman
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Howard Chu
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Luke Howard
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Sam Hartman
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Leif Johansson
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Jeffrey Hutzelman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Jeffrey Hutzelman