[Ietf-krb-wg] RFC-Editor Note for draft-ietf-krb-wg-anon-12
Jeffrey Hutzelman <jhutz@cmu.edu> Wed, 27 October 2010 17:31 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CCB273A6888 for <ietfarch-krb-wg-archive@core3.amsl.com>; Wed, 27 Oct 2010 10:31:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.567
X-Spam-Level:
X-Spam-Status: No, score=-106.567 tagged_above=-999 required=5 tests=[AWL=0.032, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cK151zcYgo43 for <ietfarch-krb-wg-archive@core3.amsl.com>; Wed, 27 Oct 2010 10:31:24 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id BD9B53A69C2 for <krb-wg-archive@lists.ietf.org>; Wed, 27 Oct 2010 10:31:08 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 7380B1A; Wed, 27 Oct 2010 12:32:58 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 367224A; Wed, 27 Oct 2010 12:32:56 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 66ABB2CC0BC; Wed, 27 Oct 2010 12:32:55 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 2A6B880030 for <ietf-krb-wg@lists.anl.gov>; Wed, 27 Oct 2010 12:32:54 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix) id 257301A; Wed, 27 Oct 2010 12:32:54 -0500 (CDT)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 2092D3B for <ietf-krb-wg@anl.gov>; Wed, 27 Oct 2010 12:32:54 -0500 (CDT)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 163FF1A for <ietf-krb-wg@anl.gov>; Wed, 27 Oct 2010 12:32:54 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id F2C497CC09C; Wed, 27 Oct 2010 12:32:53 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24574-01; Wed, 27 Oct 2010 12:32:53 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 594C07CC099 for <ietf-krb-wg@anl.gov>; Wed, 27 Oct 2010 12:32:53 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AlkAALL+x0yAAtnGkWdsb2JhbAChRRUBAQIJCwoHEQUdtwuIZ4J0glQEjVs
X-IronPort-AV: E=Sophos;i="4.58,247,1286168400"; d="scan'208";a="49671155"
Received: from smtp03.srv.cs.cmu.edu ([128.2.217.198]) by mailgateway.anl.gov with ESMTP; 27 Oct 2010 12:32:53 -0500
Received: from [18.111.89.246] (SIRIUS.FAC.CS.CMU.EDU [128.2.216.216]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id o9RHWq31029744 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 27 Oct 2010 13:32:52 -0400 (EDT)
Date: Wed, 27 Oct 2010 13:32:52 -0400
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: ietf-krb-wg@anl.gov
Message-ID: <BEB4E7F22F8DCC1DDA9937D8@atlantis.pc.cs.cmu.edu>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on 128.2.217.198
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: jhutz@cmu.edu
Subject: [Ietf-krb-wg] RFC-Editor Note for draft-ietf-krb-wg-anon-12
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
In order to address issues raised during IETF Last Call and/or IESG review,
we're attaching the following Notes to the RFC Editor to anon. Modulo
these changes, this document has been approved and should enter the RFC
Editor's queue shortly.
-- Jeff
Please make the following changes prior to publication:
In Section 4 (a/an):
OLD:
In order to request an anonymous ticket, the client sets the
anonymous KDC option in an AS request or an TGS request.
NEW:
In order to request an anonymous ticket, the client sets the
anonymous KDC option in an AS request or a TGS request.
In Section 4.1:
OLD:
client realm is the realm of the AS. According to [RFC4120] the
client name and the client realm in the EncTicketPart of the reply
MUST match with the corresponding client name and the client realm of
the anonymous ticket in the reply; the client MUST use the client
NEW:
client realm is the realm of the AS. According to [RFC4120] the
client name and the client realm in the EncTicketPart of the reply
MUST match with the corresponding client name and the client realm of
the KDC reply; the client MUST use the client
In Section 4.1.1, graf 1: s/anonymity/anonymous/
In Section 4.1.1, graf 2 (wording and 3852/5652 reference update):
OLD:
the client sets the client name as the anonymous principal
in the AS exchange and provides a PA_PK_AS_REQ pre-authentication
data [RFC4556] where both the signerInfos field and the certificates
field of the SignedData [RFC3852] of the PA_PK_AS_REQ are empty.
NEW:
the client sets the client name as the anonymous principal
in the AS exchange and provides a PA_PK_AS_REQ pre-authentication
data [RFC4556] where the signerInfos field of the SignedData [RFC5652]
of the PA_PK_AS_REQ is empty, and the certificates field is absent.
And again, in Section 4.1.1, graf 3:
OLD:
If the KDC replies anonymously, both the
signerInfos field and the certificates field of the SignedData
[RFC3852] of PA_PK_AS_REP in the reply are empty. The server name in
the anonymous KDC reply contains the name of the TGS.
NEW:
If the KDC replies anonymously, the signerInfos field of the
SignedData [RFC5652] of PA_PK_AS_REP in the reply is empty, and
the certificates field is absent. The server name in
the anonymous KDC reply contains the name of the TGS.
In Section 4.2 (commas):
OLD:
the TGS MAY omit the previous realm if the cross realm TGT is
an anonymous one in order to hide the authentication path of the
client.
NEW:
the TGS MAY omit the previous realm, if the cross realm TGT is
an anonymous one, in order to hide the authentication path of the
client.
In Section 4.3, graf 7, s/preformed/performed/
In Section 8, graf 3: s/insure/ensures/
In Section 8, before graf 5, insert:
Two mechanisms, the FAST facility with the hide-client-names option in
[FAST] and the Kerberos5 starttls option [STARTTLS protect the
client identity so that an attacker would never be able to observe the
client identity sent to the KDC. Transport or network layer security
between the client and the server will help prevent tracking of a
particular ticket to link a ticket to a user. In addition, clients can
limit how often a ticket is re-used to minimize ticket linking.
In Section 11.1:
OLD:
[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)",
RFC 3852, July 2004.
NEW:
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)",
RFC 5652, September 2009.
Also in Section 11.1, add the following normative references:
[X680] Abstract Syntax Notation One (ASN.1):
Specification of Basic Notation, ITU-T
Recommendation X.680 (1997) | ISO/IEC
International Standard 8824-1:1998.
[X690] ASN.1 encoding rules: Specification of Basic
Encoding Rules (BER), Canonical Encoding Rules
(CER) and Distinguished Encoding Rules (DER),
ITU-T Recommendation X.690 (1997)| ISO/IEC
International Standard 8825-1:1998.
In Section 11.2, add the following informative reference (note this
document has already been approved by the IESG)
[STARTTLS] Josefsson, S., "Using Kerberos V5 over the Transport
Layer Security (TLS) Protocol",
draft-josefsson-kerberos5-starttls (work in progress),
2010.
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] RFC-Editor Note for draft-ietf-krb-… Jeffrey Hutzelman