Re: [Ietf-krb-wg] Comments on adopting draft-sorce-krbwg-general-pad as a work item
Shawn Emery <shawn.emery@oracle.com> Wed, 03 August 2011 07:31 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42CA321F8AD3 for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Wed, 3 Aug 2011 00:31:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.422
X-Spam-Level:
X-Spam-Status: No, score=-4.422 tagged_above=-999 required=5 tests=[AWL=1.577, BAYES_00=-2.599, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cgaJlMN8pU27 for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Wed, 3 Aug 2011 00:31:26 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id BCB6521F8ACE for <krb-wg-archive@lists.ietf.org>; Wed, 3 Aug 2011 00:31:25 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 69B263A; Wed, 3 Aug 2011 02:31:36 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 15FD12D; Wed, 3 Aug 2011 02:31:33 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id CE5022CC3CA; Wed, 3 Aug 2011 02:31:33 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 0FAA280EA2 for <ietf-krb-wg@lists.anl.gov>; Wed, 3 Aug 2011 02:31:32 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id EE0F87CC05A; Wed, 3 Aug 2011 02:31:31 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08957-05; Wed, 3 Aug 2011 02:31:31 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id C84307CC059 for <ietf-krb-wg@lists.anl.gov>; Wed, 3 Aug 2011 02:31:31 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkMBAPv3OE6UV3F1mWdsb2JhbABChEejFBQBAQEBAQgLCwcUJYE5BwEBBSMVQBELGAICBRYLAgIJAwIBAgE3AQ0TCAEBh2quPJEsgSuEB4EQBIdaiyGFB4t8
X-IronPort-AV: E=Sophos;i="4.67,309,1309755600"; d="scan'208";a="64520674"
Received: from rcsinet15.oracle.com ([148.87.113.117]) by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 03 Aug 2011 02:31:31 -0500
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p737VSKp029322 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <ietf-krb-wg@lists.anl.gov>; Wed, 3 Aug 2011 07:31:30 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p737VSin009378 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-krb-wg@lists.anl.gov>; Wed, 3 Aug 2011 07:31:28 GMT
Received: from abhmt114.oracle.com (abhmt114.oracle.com [141.146.116.66]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p737VM8x032501 for <ietf-krb-wg@lists.anl.gov>; Wed, 3 Aug 2011 02:31:22 -0500
Received: from [10.159.208.113] (/10.159.208.113) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 03 Aug 2011 00:31:22 -0700
Message-ID: <4E38F93E.8040104@oracle.com>
Date: Wed, 03 Aug 2011 01:31:10 -0600
From: Shawn Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.9.2.18) Gecko/20110704 Lightning/1.0b2 Thunderbird/3.1.11
MIME-Version: 1.0
To: ietf-krb-wg@lists.anl.gov
References: <tslr56cohgy.fsf@mit.edu> <4E194EE2.7090502@oracle.com> <1310304454.8182.122.camel@willson.li.ssimo.org> <4E1A96F6.6020308@oracle.com> <1310944282.23822.61.camel@willson.li.ssimo.org>
In-Reply-To: <1310944282.23822.61.camel@willson.li.ssimo.org>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090207.4E38F952.010B:SCFMA922111,ss=1,re=-4.000,fgs=0
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: Re: [Ietf-krb-wg] Comments on adopting draft-sorce-krbwg-general-pad as a work item
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov
On 07/17/11 05:11 PM, Simo Sorce wrote: > On Mon, 2011-07-11 at 00:23 -0600, Shawn Emery wrote: >> On 07/10/11 07:27 AM, Simo Sorce wrote: >>> On Sun, 2011-07-10 at 01:04 -0600, Shawn Emery wrote: >>>> On 06/29/11 08:11 AM, Sam Hartman wrote: >>>>> The chairs would like to solicit comments on whether the PAD draft is >>>>> ready for us to adopt as a working group draft. >>>>> Please send comments by July 10. >>>> Sorry for the late reply... >>>> >>>> General: >>>> >>>> It would be nice to standardize the interface (C bindings) or provide >>>> examples for accessing PAC data through standards track interfaces. >>>> >>>> There have been implementations of non-standardized interfaces, such >>>> as gss_inquire_sec_context_by_oid. It would be out of scope for this >>>> draft to cover a GSS-API like this, but should be considered as a >>>> complimentary draft. >>>> >>>> 4.4 PAD-DNS-Domain >>>> >>>> Couldn't you also have multiple domains map to a single realm? >>> This refers to the main domain name in use, others can be available but >>> they are not relevant for user authorization data. >>> >>>> 4.6. PAD-Domain-UUID >>>> >>>> uuid_t is 128 bits, shouldn't this be in alignment with uuid* >>>> functions? >>>> Providing a reference on how the Domain-UUID is constructed would >>>> be helpful. >>> This is vague as we want to allow easy mapping of Windows Domain SIDs >>> into this field for interop purposes. So this is literally just a Unique >>> Identifier, I can change the name if it is felt that using UUID is >>> confusing. >> Yes, this would be helpful. > Ok, what about PAD-UDID (Unique Domain ID) ? This clarifies things better. >>>> 4.7. PAD-Posix-Username >>>> >>>> In general it would be nice to have at least a non-normative >>>> reference for the Posix attributes. >>> I have been asked to refer to RFC 2307 for attributes. I will go thorugh >>> RFC 2307 before the next draft and verify if the definitions there are >>> adequate (For example I do not want to force these names to be case >>> sensitive although implementations are free to treat them in a case >>> sensitive way if they really, really want to. >> Is there is a reference that could be used that is not experimental? > I looked into the POSIX.1-2008 standard* next to see if these attributes > are defined well enough to use it as a normative reference. > It looks like they are very loosely defined in there. > > > * IEEE Std 1003.1-2008 / The Open Group bBase Specifications Issue 7 That is unfortunate. >>>> 4.14. PAD-AlternateNames >>>> >>>> Why can't this be more generic for any naming attribute that >>>> applications can use? >>> I am not sure I understand the objection, can you make an example of >>> what you'd like to use this attribute for ? >> Refer to draft-ietf-kitten-gssapi-naming-exts::6. Representation of >> Attribute Names. > Uhmm you defined some characters as special in that document (space and > ':'), but I don;t see any discussion about escaping in case those > characters are part of the actual names as opposed to be just > separators. ANy reason why this is not a problem in that document ? Escape sequences are required for primary components in your use cases? >>>> 5.1. PAD Format >>>> >>>> Which Host Service Key are you referring to here?: >>> host/fqdn@REALM >> This should be defined or referenced. > OK. > >>>> o Optional Host Service Key Signature (for use by trusted services >>>> on a host) >>>> >>>> What about typed holes for future extensions? >>> Perhaps, but I am not sure we want to make this field too extensible, it >>> makes creating interoperable implementations harder if not done right. >> We should do it right then. >> >>>> 6.1 SignedPricipalAuthorizationData >>>> >>>> Why is the following a SHOULD?: >>>> >>>> Unless otherwise >>>> explicitly administratively configured, the key SHOULD be found >>>> by substituting the service name component of the principal >>>> name >>>> of the service with 'host'. >>>> >>>> As services should try to avoid using shared keys such as this. >>> This is not a shared key, this is useful exactly in the opposite case >>> where the service key differs from the host key and you cannot trust a >>> PAD signed by a service key as host. I would make it a MUST if I didn't >>> already spot cases where an implementation might need to use a different >>> trusted key (thinking about clusters here). >>> Keep in mind that this signature is optional, so you can omit it >>> completely, but if you want to use it you SHOULD provide a signature >>> based on the host key so that a host trusted service can verify the PAD >>> independently from the less trusted service receiving and forwarding it. >>> In environment where host and service keys are the same (like in AD) >>> this field is useless as it adds no security, so you should just omit >>> it. >> I think this should be clarified in the draft. > OK > >>>> 6.2 GSS-API Authenticator Extension >>>> >>>> Refer to draft-ietf-krb-wg-gss-cb-hash-agility on extension >>>> formats. >>> I'll take a note. Shawn. -- _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] Comments on adopting draft-sorce-kr… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Josh Howlett
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Luke Howard
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting Martin Rex
- Re: [Ietf-krb-wg] Comments on adopting Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting Martin Rex
- Re: [Ietf-krb-wg] Comments on adopting Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting Greg Hudson
- Re: [Ietf-krb-wg] Comments on adopting Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Luke Howard
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Luke Howard
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Henry B. Hotz
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Shawn Emery
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Simo Sorce
- [Ietf-krb-wg] Experimental status of RFC 2307 Sam Hartman
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Leif Johansson
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Sam Hartman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Sam Hartman
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Howard Chu
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Sam Hartman
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Howard Chu
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Luke Howard
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Sam Hartman
- Re: [Ietf-krb-wg] Experimental status of RFC 2307 Leif Johansson
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Jeffrey Hutzelman
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Nico Williams
- Re: [Ietf-krb-wg] Comments on adopting draft-sorc… Jeffrey Hutzelman