IETF Logo Mail Archive

Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR

Sam Hartman <hartmans-ietf@mit.edu> Mon, 18 May 2009 10:44 UTC

Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BA31728C29F for <ietfarch-krb-wg-archive@core3.amsl.com>; Mon, 18 May 2009 03:44:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.446
X-Spam-Level:
X-Spam-Status: No, score=-2.446 tagged_above=-999 required=5 tests=[AWL=0.153, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rudpzbZR12bU for <ietfarch-krb-wg-archive@core3.amsl.com>; Mon, 18 May 2009 03:44:05 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id B4EE03A6CE5 for <krb-wg-archive@lists.ietf.org>; Mon, 18 May 2009 03:44:05 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 1F538FD; Mon, 18 May 2009 05:45:41 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id EA2BC106; Mon, 18 May 2009 05:45:35 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 800D580E00; Mon, 18 May 2009 05:45:35 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 8291B80DFE for <ietf-krb-wg@lists.anl.gov>; Mon, 18 May 2009 05:45:33 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix) id 775CCFD; Mon, 18 May 2009 05:45:33 -0500 (CDT)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 71FFEFF for <ietf-krb-wg@anl.gov>; Mon, 18 May 2009 05:45:33 -0500 (CDT)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 6C0EDFD for <ietf-krb-wg@anl.gov>; Mon, 18 May 2009 05:45:33 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 552057CC0F8; Mon, 18 May 2009 05:45:33 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30798-09; Mon, 18 May 2009 05:45:33 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay2.anl.gov (Postfix) with ESMTP id 358DD7CC0BB for <ietf-krb-wg@anl.gov>; Mon, 18 May 2009 05:45:33 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAIPZEEpFGcSy/2dsb2JhbADBKoUbiE6EAQU
X-IronPort-AV: E=Sophos;i="4.41,209,1241413200"; d="scan'208";a="27107873"
Received: from carter-zimmerman.suchdamage.org ([69.25.196.178]) by mailgateway.anl.gov with ESMTP; 18 May 2009 05:45:32 -0500
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id F22B84245; Mon, 18 May 2009 06:45:31 -0400 (EDT)
To: Srinivas Cheruku <srinivas.cheruku@gmail.com>
References: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BDCD7@exchange.cybersafe.local> <tslskj7w8n0.fsf@mit.edu> <4a0d133a.1701d00a.65de.ffff9802@mx.google.com>
From: Sam Hartman <hartmans-ietf@mit.edu>
Date: Mon, 18 May 2009 06:45:31 -0400
In-Reply-To: <4a0d133a.1701d00a.65de.ffff9802@mx.google.com> (Srinivas Cheruku's message of "Fri\, 15 May 2009 12\:31\:05 +0530")
Message-ID: <tslfxf2r8ok.fsf@mit.edu>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: ietf-krb-wg@anl.gov, 'Sam Hartman' <hartmans-ietf@mit.edu>
Subject: Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov

>>>>> "Srinivas" == Srinivas Cheruku <srinivas.cheruku@gmail.com> writes:

    Srinivas> Sam wrote:...
    >> Probably this is more of an IETF issue than an MIT issue.  My
    >> concern about doing this is that the negotiation of which fast
    >> factors are supported would be unprotected.

    Srinivas> [Srinivas Cheruku] I was thinking on this more.  What
    Srinivas> affect would it have if the negotiation of fast factors
    Srinivas> is not protected?  When non-fast request is sent to KDC,
    Srinivas> it returns KRB-ERROR e-data containing PA-FX-FAST. This
    Srinivas> is also not protected PA-FX-FAST can also be deleted
    Srinivas> from initial unprotected error. If this happens, the
    Srinivas> client would send non-fast request containing
    Srinivas> enc-timestamp instead of generating a fast request. It
    Srinivas> depends on the KDC policy to allow non-fast requests or
    Srinivas> not.
Larry and I have proposed a mechanism that we can use to protect the
negotiation of FAST itself.

That mechanism could be extended to protect FAST itself, but it is our
proposal to the WG not to involve that complexity.
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

v2.23.0 | Report a Bug | By Email