Re: [Ietf-krb-wg] Last call issues on naming
Larry Zhu <lzhu@windows.microsoft.com> Thu, 31 July 2008 18:30 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 845CC28C2C8 for <ietfarch-krb-wg-archive@core3.amsl.com>; Thu, 31 Jul 2008 11:30:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.111
X-Spam-Level:
X-Spam-Status: No, score=-104.111 tagged_above=-999 required=5 tests=[AWL=-1.512, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5pPoQSIYfWx1 for <ietfarch-krb-wg-archive@core3.amsl.com>; Thu, 31 Jul 2008 11:30:11 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id 0D91028C2A8 for <krb-wg-archive@lists.ietf.org>; Thu, 31 Jul 2008 11:30:11 -0700 (PDT)
Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 3D67748; Thu, 31 Jul 2008 13:30:27 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 0318A4E; Thu, 31 Jul 2008 13:30:26 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 8EB6480D96; Thu, 31 Jul 2008 13:30:26 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id DDDBB80D8C for <ietf-krb-wg@lists.anl.gov>; Thu, 31 Jul 2008 13:30:24 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix) id CC87F41; Thu, 31 Jul 2008 13:30:24 -0500 (CDT)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 9B10539 for <ietf-krb-wg@anl.gov>; Thu, 31 Jul 2008 13:30:24 -0500 (CDT)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 86DB441 for <ietf-krb-wg@anl.gov>; Thu, 31 Jul 2008 13:30:24 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 6D54B7CC082; Thu, 31 Jul 2008 13:30:24 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29055-08; Thu, 31 Jul 2008 13:30:24 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay2.anl.gov (Postfix) with ESMTP id 399D97CC065 for <ietf-krb-wg@anl.gov>; Thu, 31 Jul 2008 13:30:24 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjUAAB2hkUiDa3PXmmdsb2JhbACLHoc5AQEBAQEIBQgHEQaeHkQ
X-IronPort-AV: E=Sophos;i="4.31,287,1215406800"; d="scan'208";a="17747191"
Received: from smtp.microsoft.com ([131.107.115.215]) by mailgateway.anl.gov with ESMTP; 31 Jul 2008 13:30:23 -0500
Received: from tk1-exhub-c103.redmond.corp.microsoft.com (157.54.46.187) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.1.251.2; Thu, 31 Jul 2008 11:30:23 -0700
Received: from tk5-exmlt-w601.wingroup.windeploy.ntdev.microsoft.com (157.54.18.32) by tk1-exhub-c103.redmond.corp.microsoft.com (157.54.46.187) with Microsoft SMTP Server id 8.1.240.5; Thu, 31 Jul 2008 11:30:22 -0700
Received: from NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com ([fe80::8de9:51a2:cd62:f122]) by tk5-exmlt-w601.wingroup.windeploy.ntdev.microsoft.com ([157.54.18.32]) with mapi; Thu, 31 Jul 2008 11:30:22 -0700
From: Larry Zhu <lzhu@windows.microsoft.com>
To: Jeffrey Hutzelman <jhutz@cmu.edu>, "ietf-krb-wg@anl.gov" <ietf-krb-wg@anl.gov>
Date: Thu, 31 Jul 2008 11:30:20 -0700
Thread-Topic: [Ietf-krb-wg] Last call issues on naming
Thread-Index: AcjxXwDdkr9rp8FwSaK9DUX7CwksUgB2c2eQ
Message-ID: <AB1E5627D2489D45BD01B84BD5B90046061C58919B@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
References: <F218B0172A4F7753E33C317D@atlantis.pc.cs.cmu.edu>
In-Reply-To: <F218B0172A4F7753E33C317D@atlantis.pc.cs.cmu.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: Re: [Ietf-krb-wg] Last call issues on naming
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
* N002 Mar 06 Stephen Hanna <shanna@juniper.net> (for secdir) > it should explain why it is permissible for the TGS to allow > an authentication to succeed even if the client and/or > server principal name is an unsupported well-known name. > The reasoning for allowing this is not clear to me but > perhaps it is that the TGS can assume that the AS must > have supported the client name or it would have failed the > authentication. I'm not sure how this helps to address the > case where the server name is an unsupported well-known > name. I would like to see that explained, preferably > in the document. I propose replacing OLD: Similarly, the Ticket Granting Service (TGS) [RFC4120] MAY reject the authentication attempt if a well-known principal name is used as the client principal name but not supported, and SHOULD reject the authentication attempt if a well- known principal name is used as the server principal name but not supported. With NEW: Similarly, the Ticket Granting Service (TGS) [RFC4120] MAY reject the authentication attempt if a well-known principal name is used as the client principal name but not supported, and SHOULD reject the authentication attempt if a well- known principal name is used as the server principal name but not supported. These rules were designed to allow incremental updates and ease migration. More specifically, if a well-known principal is accepted in one realm, it is desirable to allow the cross-realm TGT to work when not all of the realms in the cross-realm authentication path are updated; if the server principal with an identically-named well-known name was created before the KDC is updated, it might be acceptable to allow authentication to work but with a limited lifetime. --larry -----Original Message----- From: ietf-krb-wg-bounces@lists.anl.gov [mailto:ietf-krb-wg-bounces@lists.anl.gov] On Behalf Of Jeffrey Hutzelman Sent: Tuesday, July 29, 2008 2:39 AM To: ietf-krb-wg@anl.gov Cc: jhutz@cmu.edu Subject: [Ietf-krb-wg] Last call issues on naming The following is a summary of issues that have been raised on the naming document since draft-ietf-krb-wg-naming-04.txt entered IETF Last Call on Feb 22, 2008. There are a total of 5 issues, all but one of which I believe has been resolved as of draft-ietf-krb-wg-naming-06.txt. The remaining issue, N002, still needs a reply. However, I suspect that Larry can compose a reply without additional discussion from the working group, so unless someone has a comment, I am not planning on discussing this item at today's meeting. Participants should feel free to comment during today's meeting on any of these items or on any issue not previously noticed. However, please bear in mind that this document is at a fairly late stage and so we should not be making significant changes without a strong need. In the text below, '>' indicates comments from the listed commenter, '@' indicates comments from the document author(s), and '[[' and ']]' surround comments from the shepherd. ********************************************************************** *** OUTSTANDING ********************************************************************** * N002 Mar 06 Stephen Hanna <shanna@juniper.net> (for secdir) > it should explain why it is permissible for the TGS to allow > an authentication to succeed even if the client and/or > server principal name is an unsupported well-known name. > The reasoning for allowing this is not clear to me but > perhaps it is that the TGS can assume that the AS must > have supported the client name or it would have failed the > authentication. I'm not sure how this helps to address the > case where the server name is an unsupported well-known > name. I would like to see that explained, preferably > in the document. ********************************************************************** *** RESOLVED ********************************************************************** * N001 Mar 06 Stephen Hanna <shanna@juniper.net> (for secdir) > The Security Considerations > section could provide an example of how unintended access > could be granted if an authentication with an unsupported > well-known name is allowed to succeed. @ Example added in -05 [[ Example present in -06 ]] [[ RESOLVED - MINOR SUBSTANTIVE ]] ============================== * N003 Mar 06 Stephen Hanna <shanna@juniper.net> (for secdir) > At the end of section 1, "remedy these" should be "remedy these > issues" or something similar. Otherwise, it's not clear what is > to be remedied. [[ Corrected in -06 ]] [[ RESOLVED - EDITORIAL ]] ============================== * N004 Mar 06 Stephen Hanna <shanna@juniper.net> (for secdir) > In the last paragraph of section 3.1, the first word "is" in the > phrase "is a well-known principal name is used" should be "if". > Similarly, in the second paragraph of section 3.2, the first word > "is" should be "if" in the phrase "is a well-known realm name is used". [[ Corrected in -06 ]] [[ RESOLVED - EDITORIAL ]] ============================== * N005 Mar 20 Sam Hartman <hartmans-ietf@mit.edu> > I think there is a minor ambiguity in the naming draft: > > Consequently, unless otherwise > > specified, a well-known Kerberos realm name MUST NOT be present > > in transited encoding > > Who enforces this requirement? That's an important question because > it controls who needs to support the specific well known realm in > order for it to be used. > > I'd recommend something like: Unless otherwise specified, parties checking > the transited realm path MUST reject a transited realm path that includes a > well known realm. In the case of KDCs checking the transited realm path, > this means that the transited policy checked flag MUST NOT be set in the > resulting ticket. > > In particular, that means that a KDC that is not checking transited > realm paths is not encouraged to reject a request simply because the > realm in an unknown well known realm. @ Proposed text looks good [[ Included in -06 ]] [[ RESOLVED - MINOR SUBSTANTIVE ]] _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] Last call issues on naming Jeffrey Hutzelman
- Re: [Ietf-krb-wg] Last call issues on naming Larry Zhu
- Re: [Ietf-krb-wg] Last call issues on naming Jeffrey Hutzelman