Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-kerberos-referrals-14
Sam Hartman <hartmans-ietf@mit.edu> Fri, 14 September 2012 16:16 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 565D921F851A for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Fri, 14 Sep 2012 09:16:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.452
X-Spam-Level:
X-Spam-Status: No, score=-102.452 tagged_above=-999 required=5 tests=[AWL=4.147, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 96xBo8Nk-9WJ for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Fri, 14 Sep 2012 09:16:56 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id EDCC121F8523 for <krb-wg-archive@lists.ietf.org>; Fri, 14 Sep 2012 09:16:55 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id AD0A41A93; Fri, 14 Sep 2012 11:16:50 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 36F431B33; Fri, 14 Sep 2012 11:16:19 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 171FB54C006; Fri, 14 Sep 2012 11:16:19 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id B194E81039 for <ietf-krb-wg@lists.anl.gov>; Fri, 14 Sep 2012 11:16:17 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 94EC57CC110; Fri, 14 Sep 2012 11:16:17 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17321-05; Fri, 14 Sep 2012 11:16:17 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 7B3207CC07F for <ietf-krb-wg@lists.anl.gov>; Fri, 14 Sep 2012 11:16:17 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhYHAAFXU1AXFeNd/2dsb2JhbABFgkS5OoEHgiEBBQ8BKj8QCyElDwEEGDETiA2ndQGKaIkHkX0DpgKDAg
X-IronPort-AV: E=Sophos;i="4.80,423,1344229200"; d="scan'208";a="1808159"
Received: from ec2-23-21-227-93.compute-1.amazonaws.com ([23.21.227.93]) by mailgateway.anl.gov with ESMTP/TLS/ADH-AES256-SHA; 14 Sep 2012 11:16:17 -0500
Received: from carter-zimmerman.suchdamage.org (c-98-217-126-210.hsd1.ma.comcast.net [98.217.126.210]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id C9AA22010D; Fri, 14 Sep 2012 12:16:07 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 43B284149; Fri, 14 Sep 2012 12:15:57 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <50512CF2.6090801@cs.tcd.ie>
Date: Fri, 14 Sep 2012 12:15:57 -0400
In-Reply-To: <50512CF2.6090801@cs.tcd.ie> (Stephen Farrell's message of "Thu, 13 Sep 2012 01:46:42 +0100")
Message-ID: <tslobl84m2q.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: "krb-wg mailing list (ietf-krb-wg@lists.anl.gov)" <ietf-krb-wg@lists.anl.gov>
Subject: Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-kerberos-referrals-14
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov
>>>>> "Stephen" == Stephen Farrell <stephen.farrell@cs.tcd.ie> writes: Stephen> Hi all, Stephen> - p10, last para, maybe s/should/ought/ if you don't want Stephen> that as a 2119 should? Even without that being a SHOULD, it Stephen> seems odd to recommend that the client know about realms, Stephen> to the extent that it can differentiate between them, in a Stephen> spec whose purpose is to get rid of per-realm configuration Stephen> from clients. Is there in fact a missing 2119-level SHOULD Stephen> here that also says how to do this with no client config? Stephen> Or, are you really assuming that clients won't make any Stephen> checks, in which case wouldn't it be better to confess the Stephen> truth? What a lot of clients end up doing is confirming that the referred-to realm is in something like an AD forest. It would be valuable to mention that as an option for the local policy. It's actually not a bad choice in a lot of environments, although obviously if the trust within a forest varies widely (something that Kerberos supports but AD doesn't support as much) then you might need to be more clever. The intent of that paragraph if is that if you're going outside of an AD-style trust model you may need to prompt. Stephen> - If a KDC receives an AS-REQ with no PA-REQ-ENC-PA-REP or Stephen> canonicalize KDC option then I assume that KDC MUST behave Stephen> according to 4120. Is that stated explicitly somewhere? Stephen> Does there need to be any similar statement about TGS-REQs Stephen> or TGTs (since the new padata type is a MAY for TGS-REQs)? I don't think this is explicitly stated. It's true for AS and TGS. Will state in the post-lc update. IN practice the point is kind of moot since every implementation that seems to be in wide use implements canonicalize. This spec took a while in the standardization process:-) Stephen> nits: Will deal during post-lc update. _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] AD review of draft-ietf-krb-wg-kerb… Stephen Farrell
- Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-… Sam Hartman
- Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-… Nico Williams
- Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-… Sam Hartman
- Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-… Nico Williams
- Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-… Sam Hartman