[Ietf-krb-wg] Publication Request: draft-ietf-krb-wg-preauth-framework-15.txt (fwd)
Jeffrey Hutzelman <jhutz@cmu.edu> Tue, 01 December 2009 21:26 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E19A728C130 for <ietfarch-krb-wg-archive@core3.amsl.com>; Tue, 1 Dec 2009 13:26:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.462
X-Spam-Level:
X-Spam-Status: No, score=-4.462 tagged_above=-999 required=5 tests=[AWL=2.137, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JlnG0ik0v5CB for <ietfarch-krb-wg-archive@core3.amsl.com>; Tue, 1 Dec 2009 13:26:09 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id 376243A67D9 for <krb-wg-archive@lists.ietf.org>; Tue, 1 Dec 2009 13:26:09 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 910109C; Tue, 1 Dec 2009 15:26:01 -0600 (CST)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id D688794; Tue, 1 Dec 2009 15:25:58 -0600 (CST)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id D4ED080E38; Tue, 1 Dec 2009 15:25:57 -0600 (CST)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 9DDC680E34 for <ietf-krb-wg@lists.anl.gov>; Tue, 1 Dec 2009 15:25:55 -0600 (CST)
Received: by mailhost.anl.gov (Postfix) id 975EC91; Tue, 1 Dec 2009 15:25:55 -0600 (CST)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 8E4EC81 for <ietf-krb-wg@anl.gov>; Tue, 1 Dec 2009 15:25:55 -0600 (CST)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 866A88C for <ietf-krb-wg@anl.gov>; Tue, 1 Dec 2009 15:25:55 -0600 (CST)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 6E0F07CC084; Tue, 1 Dec 2009 15:25:55 -0600 (CST)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02344-02-7; Tue, 1 Dec 2009 15:25:55 -0600 (CST)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 91D317CC086 for <ietf-krb-wg@anl.gov>; Tue, 1 Dec 2009 15:25:54 -0600 (CST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvkAAC8ZFUuAAtnEmWdsb2JhbACbdwEBAQEBCAsKBxOtU4YxiE2CL4ICBA
X-IronPort-AV: E=Sophos;i="4.47,322,1257141600"; d="scan'208";a="34263673"
Received: from smtp01.srv.cs.cmu.edu ([128.2.217.196]) by mailgateway.anl.gov with ESMTP; 01 Dec 2009 15:25:47 -0600
Received: from ATLANTIS.WV.CS.CMU.EDU (SIRIUS.FAC.CS.CMU.EDU [128.2.216.216]) (authenticated bits=0) by smtp01.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id nB1LPl82012876 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 1 Dec 2009 16:25:47 -0500 (EST)
Date: Tue, 01 Dec 2009 16:25:47 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: ietf-krb-wg@anl.gov
Message-ID: <BAE2EADFD0037F793952272A@atlantis.pc.cs.cmu.edu>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on 128.2.217.196
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: jhutz@cmu.edu
Subject: [Ietf-krb-wg] Publication Request: draft-ietf-krb-wg-preauth-framework-15.txt (fwd)
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
------------ Forwarded Message ------------ Date: Tuesday, December 01, 2009 04:24:57 PM -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: tim.polk@nist.gov Cc: jhutz@cmu.edu, iesg-secretary@ietf.org Subject: Publication Request: draft-ietf-krb-wg-preauth-framework-15.txt This is a request to the IESG to approve publication of "A Generalized Framework for Kerberos Pre-Authentication", draft-ietf-krb-wg-preauth-framework-15.txt, as a Standards-Track RFC. This document is a product of the Kerberos Working Group. (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, does he or she believe this version is ready for forwarding to the IESG for publication? >> The Document Shepherd for this document is Jeffrey Hutzelman, >> <jhutz@cmu.edu>. I have reviewed this document, and I believe >> it is ready for IETF-wide review and publication as a >> Proposed Standard. (1.b) Has the document had adequate review both from key WG members and from key non-WG members? Does the Document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? >> This document has received review both within the working group >> and from key experts outside the working group. Any issues raised >> have been resolved. (1.c) Does the Document Shepherd have concerns that the document needs more review from a particular or broader perspective, e.g., security, operational complexity, someone familiar with AAA, internationalization or XML? >> I don't believe any particular outside review is required. >> Of course, more review is always welcome. (1.d) Does the Document Shepherd have any specific concerns or issues with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. Has an IPR disclosure related to this document been filed? If so, please include a reference to the disclosure and summarize the WG discussion and conclusion on this issue. >> I have no concerns. >> No IPR disclosures related to this document have been filed. (1.e) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? >> There is concensus within the working group to publish this >> document on the standards track. I believe there is strong >> consensus for the preauthentication model and framework >> described in this document. >> >> The FAST mechanism described in section 6.4 is conceptually >> separable from the rest of the document, and so I discuss >> it separately here. There is consensus in the working group >> to publish this mechanism, and on the details of its design, >> at least among those who have contributed to or reviewed it. >> There is a somewhat rougher consensus to place this mechanism >> on the standards track and to require its implementation by >> Kerberos implementations conforming to the preauth framework. >> >> It is worth noting that a partial overlap exists between the >> functionality of the FAST mechanism, which provides an encrypted >> tunnel to protect exchange of preauthentication data between >> a client and KDC, and that of the Kerberos STARTTLS extension, >> draft-josefsson-kerberos5-starttls-07.txt, which is also a >> document of this working group. (1.f) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is entered into the ID Tracker.) >> There have been no expressions of discontent. (1.g) Has the Document Shepherd personally verified that the document satisfies all ID nits? (See http://www.ietf.org/ID-Checklist.html and http://tools.ietf.org/tools/idnits/). Boilerplate checks are not enough; this check needs to be thorough. Has the document met all formal review criteria it needs to, such as the MIB Doctor, media type and URI type reviews? >> This document has been run through the idnits tool, and was >> reviewed manually for compliance with requirements not checked >> by the automatic tool. No additional formal review criteria >> apply to this document. >> >> In addition to RFC2119 requirements language, this document >> contains numerous uses of lowercase "may", "should", and >> "required", which are not intended to carry the RFC2119 >> meanings of the uppercase terms. These are used in contexts >> where requirements language is neither intended or appropriate, >> such as advice to the reader or to future pre-authentication >> mechanism designers, when discussing scenarios which provide >> background for a design decision or requirement, or when >> discussion potential constraints imposed by policy rather >> than by the protocol. (1.h) Has the document split its references into normative and informative? Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the strategy for their completion? Are there normative references that are downward references, as described in [RFC3967]? If so, list these downward references to support the Area Director in the Last Call procedure for them [RFC3967]. >> References have been split appropriately. >> This document contains a normative reference to >> draft-ietf-krb-wg-anon, which is awaiting a new WGLC (1.i) Has the Document Shepherd verified that the document IANA consideration section exists and is consistent with the body of the document? If the document specifies protocol extensions, are reservations requested in appropriate IANA registries? Are the IANA registries clearly identified? If the document creates a new registry, does it define the proposed initial contents of the registry and an allocation procedure for future registrations? Does it suggest a reasonable name for the new registry? See [RFC2434]. If the document describes an Expert Review process has Shepherd conferred with the Responsible Area Director so that the IESG can appoint the needed Expert during the IESG Evaluation? >> This document creates three new registries, for Kerberos >> preauthentication and typed-data types, for FAST armor types, >> and for FAST options. The first creates an IANA registry >> for a namespace previously managed directly by the Kerberos >> working group; the others are new namespaces created by this >> document. In all three cases, suitable names are suggested, >> initial contents included, and an appropriate registration >> policy is specified. >> The current maintainer of the PA-DATA/TYPED-DATA registry, >> which this document turns over to IANA, is in the process of >> reconciling the initial IANA registry contents contained in >> this document with his existing records. We expect this will >> result in minor changes to the initial registry contents by >> the time the final document is published. >> This document allocates new values in several namespaces which >> are currently managed directly by the Kerberos working group >> rather than as IANA registries. Transferring these registries >> to IANA control is a work in progress but is not the subject >> of this document. (1.j) Has the Document Shepherd verified that sections of the document that are written in a formal language, such as XML code, BNF rules, MIB definitions, etc., validate correctly in an automated checker? >> This document contains an ASN.1 module, which in the current >> version does not compile. Corrections have been made in the >> author's copy and will be included the next update (presumably, >> along with changes to address any issues raised during IETF >> Last Call). (1.k) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up? Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary Kerberos is a protocol for verifying the identity of principals (e.g., a workstation user or a network server) on an open network. The Kerberos protocol provides a mechanism called pre-authentication for proving the identity of a principal and for better protecting the long-term secrets of the principal. This document describes a model for Kerberos pre-authentication mechanisms. The model describes what state in the Kerberos request a pre-authentication mechanism is likely to change. It also describes how multiple pre-authentication mechanisms used in the same request will interact. This document also provides common tools needed by multiple pre- authentication mechanisms. One of these tools is a secure channel between the client and the KDC with a reply key strengthening mechanism; this secure channel can be used to protect the authentication exchange thus eliminate offline dictionary attacks. With these tools, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm. Working Group Summary This document represents the consensus of the Kerberos Working Group. Document Quality Multiple vendors have indicated that they plan to implement and ship the extensions described in this document or have already begun to do so. Personnel The Document Shepherd for this document is Jeffrey Hutzelman. The responsible Area Director is Tim Polk. ---------- End Forwarded Message ---------- _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] Publication Request: draft-ietf-krb… Jeffrey Hutzelman