Re: [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-13 PROTO write-up comments
<gareth.richards@rsa.com> Wed, 22 December 2010 10:04 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 814583A6935 for <ietfarch-krb-wg-archive@core3.amsl.com>; Wed, 22 Dec 2010 02:04:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.999
X-Spam-Level:
X-Spam-Status: No, score=-5.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cp7QVR68o+Op for <ietfarch-krb-wg-archive@core3.amsl.com>; Wed, 22 Dec 2010 02:04:27 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id 459833A6ADB for <krb-wg-archive@lists.ietf.org>; Wed, 22 Dec 2010 02:04:27 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id E449864; Wed, 22 Dec 2010 04:06:24 -0600 (CST)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 5AAEF52; Wed, 22 Dec 2010 04:06:23 -0600 (CST)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 230B280E7C; Wed, 22 Dec 2010 04:06:23 -0600 (CST)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id B128380032 for <ietf-krb-wg@lists.anl.gov>; Wed, 22 Dec 2010 04:06:21 -0600 (CST)
Received: by mailhost.anl.gov (Postfix) id A7ECA59; Wed, 22 Dec 2010 04:06:21 -0600 (CST)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 9C0825F for <ietf-krb-wg@anl.gov>; Wed, 22 Dec 2010 04:06:21 -0600 (CST)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 9137159 for <ietf-krb-wg@anl.gov>; Wed, 22 Dec 2010 04:06:21 -0600 (CST)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 745A17CC079; Wed, 22 Dec 2010 04:06:21 -0600 (CST)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09519-01-4; Wed, 22 Dec 2010 04:06:21 -0600 (CST)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 87B8B7CC07F for <ietf-krb-wg@anl.gov>; Wed, 22 Dec 2010 04:06:20 -0600 (CST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApIAAM5cEU2A3iAUkWdsb2JhbACjO1oVAQEBAQkLCgcRBR/CXIMEDYI4BIRmhh4
X-IronPort-AV: E=Sophos;i="4.60,212,1291615200"; d="scan'208";a="52554872"
Received: from mexforward.lss.emc.com ([128.222.32.20]) by mailgateway.anl.gov with ESMTP; 22 Dec 2010 03:35:27 -0600
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id oBM9ZQUu014113 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 22 Dec 2010 04:35:26 -0500
Received: from mailhub.lss.emc.com (mailhub.lss.emc.com [10.254.221.145]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Wed, 22 Dec 2010 04:35:14 -0500
Received: from mxhub18.corp.emc.com (mxhub18.corp.emc.com [10.254.93.47]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id oBM9YquQ023699; Wed, 22 Dec 2010 04:34:52 -0500
Received: from MX11A.corp.emc.com ([169.254.1.177]) by mxhub18.corp.emc.com ([10.254.93.47]) with mapi; Wed, 22 Dec 2010 04:34:52 -0500
From: gareth.richards@rsa.com
To: lzhu@exchange.microsoft.com, ietf-krb-wg@anl.gov
Date: Wed, 22 Dec 2010 04:34:49 -0500
Thread-Topic: draft-ietf-krb-wg-otp-preauth-13 PROTO write-up comments
Thread-Index: AcudnB1MDHaqaFZGQU6qpwXbQNM11QASMCewABSZ7wAA37cHcA==
Message-ID: <B1371F619AB0A94C9AC73CF2E475485B020A238065@MX11A.corp.emc.com>
References: <E8A97CB9E3BDF945B239B0FD4F532667108344D7@BL2SDF0103MB009.namsdf01.sdf.exchangelabs.com> <B1371F619AB0A94C9AC73CF2E475485B020A2378F0@MX11A.corp.emc.com> <E8A97CB9E3BDF945B239B0FD4F5326671085D287@BL2SDF0103MB009.namsdf01.sdf.exchangelabs.com>
In-Reply-To: <E8A97CB9E3BDF945B239B0FD4F5326671085D287@BL2SDF0103MB009.namsdf01.sdf.exchangelabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
X-EMM-MHVC: 1
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: Re: [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-13 PROTO write-up comments
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov
> > Gareth wrote: > > ".. And so if the returning of OTP values in this way does > not conform to local policy on the client (for example, if > KDC-Authentication is required and is not being provided by > other means) then it SHOULD NOT use the token for authentication." > I like this better too. > I have updated sections 3.2 and 3.4. > > 8) Section 3.4, page 14, the expiration time of the OTP > account. This > > text introduces a new concept "OTP account". > > Does this imply a separate life-time management is required or > > recommended for OTP usage? Can you please clarify? > > > These were added to cover the possibility that the account > related to the user's OTP token and the their OTP PIN could > have a different expiration times from their Kerberos account. > > For example, if the OTP token is managed by a separate > server then that server could have its own account management > distinct from that of the KDC. > I can guess that is the case without your clarification. I > raised the question thinking that the existing text sounds a > bit abrupt, but if you think it is already clear, you can > leave it as is. This can be your decision unless the group > has a different opinion otherwise. > If this text is unclear then I would rather clarrify it. How about some text of the form: The KDC MAY also include the new PIN's expiration time and the expiration time of the OTP account within the last-req field of the PA-OTP-PIN-CHANGE. (These fields can be used by the KDC to handle cases where then account related to the user's OTP token has a different expiration time to the user's Kerberos account.) > > 13) Section 6.1, this section explains MITM can choose the > session key > > when anonymous PKINIT is used. That is no longer true with > anonymity > > draft 12 (the latest). Can this be updated? I believe Sam > raised this > > issue during the last WGLC on -12. Can you please summarize the > > discussion and the conclusion? > > > Sam raised the following question regarding this section during the > > review of draft 12 > > How about the following text, the specific issue is already > fixed in anonymity-12, by adding the KDC contribution. Do you agree? > > However, the current anonymous PKINIT proposal is open to man- > in-the-middle attacks since the attacker can choose a session key > such that the session key between the MITM and the real KDC is the > same as the session key between the client and the MITM. > This is OK with me. > > The "as described above" is actually new text in draft 13. > I believe that it was meant to describe the handling of > expired PINs in the previous paragraph and can simply be removed. > > If so, we have a real issue here. The text before the > following (copied right below here for convenience) describes > how it should fail with an error when the PIN expires, but > now you are saying it should succeed for the PIN-change > service (which is basically what RFC3244 does as I alluded) > but how that is described in this document? Are we on the same page? > > If the PIN change is to be handled by a PIN-change service > then it is > assumed that authentication to that service will succeed if the PIN > has expired as described above > > The sentence above was meant to mean that if the user's PIN has expired that the KDC should fail the current AS-REQ and return a KRB-ERROR of type KDC_ERR_PIN_EXPIRED but that any subsequent request to the KDC for a ticket for a PIN-change service should succeed. That is, the fact that the user's OTP PIN has expired should not prevent authentication to the KDC for a PIN-change service ticket from succeeding. > > The ASN.1 module was checked using OSS ASN.1 Syntax Checker > Version 8.1.1. > That is all I wanted to know. Thanks. > > > Are you having trouble with the following: > > > > AnyURI ::= UTF8String > > (CONSTRAINED BY { > > /* MUST be a valid URI in accordance with IETF RFC 2396 */ > > }) > > Exactly right. My aging compiler does not under this syntax. > Love kindly pointed out that I somehow put C-style comments in the ASN.1 (which my compiler didn't object to) I believe that the correct text should be AnyURI ::= UTF8String (CONSTRAINED BY { -- MUST be a valid URI in accordance with IETF RFC 2396 * }) > > 10) Section 4.1,page 30, for consistency please add a ',' > at the end > > of "-pin-not-required(4)'. > > > Done > Please also update the corresponding portion in appendix A. > Done > To summarize, issue 13, 16 and 18 in the original list are > not closed yet at this point. Thanks. > I will wait for the outcome on issue 18 on the list before doing any update. Apart from a possible clarification for issue 16, I think all the others have been resolved. > -----Original Message----- > From: gareth.richards@rsa.com [mailto:gareth.richards@rsa.com] > Sent: Friday, December 17, 2010 6:41 AM > To: Larry Zhu; ietf-krb-wg@anl.gov > Subject: RE: draft-ietf-krb-wg-otp-preauth-13 PROTO write-up comments > > Larry, > > Thanks for the review, my responses are below. > > --Gareth > > > 1) Nits: Section 1.2 page 4, s/the standard Reply Key/the classic > > Reply Key (as defined in RFC4120)/. The word "standard" > > is overloaded in this context though the same phrase would sound > > perfectly fine anywhere else. This is just a suggestion and > the same > > applies to the rest of my comments with regarding to the word > > "classic" vs "standard. > > I am happy to change standard to classic. > > > 2) Nits: section 3.2 page 9, ditto s/standard/classic/. > OK, I changed "standard shared-key" to "classic shared-key" > > > 3) Nits: section3.2, page 9, can you please upper case KDC in > > "kdc-authentication", as "KDC-authentication". > Done > > > 4) Grammar: section 3.2, page 9, s/PA-OTP-CHALLENGE that do > not have > > the set the/ PA-OTP-CHALLENGE that do not have the/, i.e. > extra "the > > set" seems to be just a copy&paste error. > > Done > > > 5) Nits: section 3.3 page 11, at the very end, s/if the algorithm > > identifiers do not conform/if none of the algorithm identifiers > > conforms/. > > OK, done > > > 6) Section 3.4, page 13. If kdc-authentication is required then a > > PA-OTP-REQUEST containing an otp-value must be rejected. This > > discusses the KDC side of verifying the preauth-data, how > does the KDC > > know if KDC-authentication is required. Isn't that > KDC-authentication > > is a client side thing? > > Yes, I think this is a mistake. The following sentence from > section 3.2 covers the fact that the client SHOULD NOT return > send the OTP value to the client if local policy does not permit it. > > If the "must-encrypt-nonce" flag is set in the otp-keyInfo then the > OTP value MUST be used to generate the Client Key and Reply Key as > described in Section 3.6 and MUST NOT be included in the otp-value > field of the PA-OTP-REQUEST. If the flag is not set then the OTP > value MUST be included in the otp-value field of the PA-OTP-REQUEST > and MUST NOT be used in the key derivation. In this case, > the Client > Key and Reply Key SHALL be the same as the Armor Key as > described in > Section 3.6 and so if the returning of OTP values in this way does > not conform to local policy on the client then it SHOULD > NOT use the > token for authentication. > > I would think that this policy would also cover > KDC-authentication and so maybe the last sentence should be > modified as follows: > > ".. And so if the returning of OTP values in this way does > not conform to local policy on the client (for example, if > KDC-Authentication is required and is not being provided by > other means) then it SHOULD NOT use the token for authentication." > > > 7) Nits: section 3.4, page 14, s/standard encrypted > timestamp/classic > > encrypted timestamp/. > > Done > > > 8) Section 3.4, page 14, the expiration time of the OTP > account. This > > text introduces a new concept "OTP account". > > Does this imply a separate life-time management is required or > > recommended for OTP usage? Can you please clarify? > > These were added to cover the possibility that the account > related to the user's OTP token and the their OTP PIN could > have a different expiration times from their Kerberos account. > For example, if the OTP token is managed by a separate server > then that server could have its own account management > distinct from that of the KDC. > > > 9) Section 3.4, page 14, the current text says "it SHOULD > return the > > same response as for a non-OTP expired password", first, > what does it > > mean by "non-OTP expired password", does it imply there may > exist an > > OTP expired password, secondly, and is it intentional that > the KDC is > > not returning KDC_ERR_PIN_EXPIRED in this case? > > I believe that this was an oversight. I updated section 2.3 > to include the new KDC_ERR_PIN_EXPIRED but omitted to update > section 3.4. I suggest that the last sentence of this > paragraph be reworded as follows. > > Finally, if the KDC determines that the > user's PIN has expired then it SHOULD return a KRB-ERROR of type > KDC_ERR_PIN_EXPIRED as described in section 2.3 > > > 10) Section 4.1,page 30, for consistency please add a ',' > at the end > > of "-pin-not-required(4)'. > > Done > > > 11) Section 4.1, page 18, s/both flags MUST NOT be set and > the client > > MUST regard/ both flags MUST NOT be set, or the client MUST regard/. > > Done > > > 12) Section 4.3, page 23, for consistency, please remove > the comma at > > the end of "-mandatory(2)," so that it looks like "--mandatory(2)" . > > Done > > > 13) Section 6.1, this section explains MITM can choose the > session key > > when anonymous PKINIT is used. That is no longer true with > anonymity > > draft 12 (the latest). Can this be updated? I believe Sam > raised this > > issue during the last WGLC on -12. Can you please summarize the > > discussion and the conclusion? > > Sam raised the following question regarding this section > during the review of draft 12 > > > I'm a bit confused about the concern where a host key > is compromised. > > It's basically always possible for a client and an > attacker to work > > together to spoof the KDC if the attacker knows the > host key. This > > tends to be one of the least serious concerns that happens > > when the host > > key is compromised. > > > > This text was added following an issue raised by Greg Hudson > on 28 July 2009 > > On Tue, 2009-07-28 at 13:27 -0400, Sam Hartman wrote: > > This makes sense to me. > > So, S/KEY with host armor would be OK to allow? > > I think it's worth documenting that it would allow someone with > the host key to fool the client, whereas a straight RFC > 4120 AS-REQ does > not allow this. > > It's not a terribly interesting vulnerability because a > compromised host key normally means a compromised host, > which generally > gives you more latitude to mess with the user's activities than > impersonating the KDC does. > > > > > 14) Grammar: appendix b4, s/The Client generates Client Key > Reply Key > > as described in/ The Client generates the Client Key and > the Reply Key > > as described in/ > > Done > > > 15) Appendix b4, page 39, s/proceed as with the standard > > sequence/proceed as with the classic sequence as defined in > RFC4120/. > > Done > > > 16) Section 2.3, on top of page 7, "as described above". I believe > > what was described above was removed. You can say "similarly as > > illustrated in RFC3244" and add a non-normative reference > to RFC3244. > > The "as described above" is actually new text in draft 13. I > believe that it was meant to describe the handling of expired > PINs in the previous paragraph and can simply be removed. > > > 17) I have the opinion that the reference to PKINIT and anonymity > > draft should be normative. Do you have good reasons otherwise? > > I don't have any particular reasons to keep them as > informational, I just didn't think that they were used in a > normative manner. I've moved them to the normative section. > > > 18) Section 3.6, page 16, the current text says that "the > salt SHALL > > be the default salt for the principal requested in the > AS-REQ". I do > > not think "default salt for the principal" > > is defined in existing standards or in this document. I can > see a few > > possibilities to address this issue. A) we might need to have a > > protocol change, for example, we can add the optional > "salt" field of > > KerberosString type in the OTP challenge message and allow > the client > > to retry if it got it wrong when the two-pass variant; B) you can > > simply say that the salt is an empty string if the OTP value is > > already salted when computed from a secret; C) go back to > draft 12 and > > I do agree that approach in -12 can create an unnecessary > pain point. > > What was meant by this text was that the salt used would be > the default salt defined for the enctype and principal. So > for example, for AES it would be a value derived from the > principals name. > > > > 19) draft-ietf-keyprov-pskc has been published as RFC 6030. > > OK, updated. > > > 20) I was able to compile the ASN module in appendix A except the > > latest 3 lines before the "end", ignoring the blank line > right before > > that. Can you please confirm this module passes a modern ASN1 > > compiler? > > > > The ASN.1 module was checked using OSS ASN.1 Syntax Checker > Version 8.1.1. > > Are you having trouble with the following: > > AnyURI ::= UTF8String > (CONSTRAINED BY { > /* MUST be a valid URI in accordance with IETF RFC 2396 */ > }) > > > > Draft 13 contains significant changes from draft 12 mostly > due to WGLC > > comments. The quality of the document has been > significantly improved. > > Out of these, issue 18 must be addressed before the > document can move > > forward but overall the document is very close. In order to > allow the > > document progress quickly, I just started another WGLC on > 13 together > > with these comments. Taking into account of the holidays at > this time > > of the year, I have extended the last call to cover > > 3 weeks instead of the normal 2 week length. > > > > > > _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-13 PR… Larry Zhu
- Re: [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-1… gareth.richards
- Re: [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-1… Larry Zhu
- Re: [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-1… gareth.richards