IETF Logo Mail Archive

[Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-13 PROTO write-up comments

Larry Zhu <lzhu@exchange.microsoft.com> Fri, 17 December 2010 04:17 UTC

Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EDB063A698F for <ietfarch-krb-wg-archive@core3.amsl.com>; Thu, 16 Dec 2010 20:17:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.167
X-Spam-Level:
X-Spam-Status: No, score=-103.167 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rk3R4+yc1JID for <ietfarch-krb-wg-archive@core3.amsl.com>; Thu, 16 Dec 2010 20:17:12 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id 8B3073A6982 for <krb-wg-archive@lists.ietf.org>; Thu, 16 Dec 2010 20:17:12 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 7BB7211; Thu, 16 Dec 2010 22:18:58 -0600 (CST)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 9224E21; Thu, 16 Dec 2010 22:18:56 -0600 (CST)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 596E180E7D; Thu, 16 Dec 2010 22:18:56 -0600 (CST)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id B91E780E7B for <ietf-krb-wg@lists.anl.gov>; Thu, 16 Dec 2010 22:18:54 -0600 (CST)
Received: by mailhost.anl.gov (Postfix) id A122511; Thu, 16 Dec 2010 22:18:54 -0600 (CST)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 9A5B621 for <ietf-krb-wg@anl.gov>; Thu, 16 Dec 2010 22:18:54 -0600 (CST)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 91C5611 for <ietf-krb-wg@anl.gov>; Thu, 16 Dec 2010 22:18:54 -0600 (CST)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 7B9197CC07C; Thu, 16 Dec 2010 22:18:54 -0600 (CST)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15542-10; Thu, 16 Dec 2010 22:18:54 -0600 (CST)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 537717CC079 for <ietf-krb-wg@anl.gov>; Thu, 16 Dec 2010 22:18:54 -0600 (CST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Aj0BAApzCk2DawERkWdsb2JhbACkVQEBAQEJCwoHEQYeAaktmWCDBQ2COASOHRQ
X-IronPort-AV: E=Sophos;i="4.59,359,1288587600"; d="scan'208";a="52318124"
Received: from mail1.exchange.microsoft.com (HELO mail.exchange.microsoft.com) ([131.107.1.17]) by mailgateway.anl.gov with ESMTP; 16 Dec 2010 22:18:53 -0600
Received: from df-h14-02.exchange.corp.microsoft.com (157.54.78.140) by DF-G14-01.exchange.corp.microsoft.com (157.54.87.87) with Microsoft SMTP Server (TLS) id 14.1.218.15; Thu, 16 Dec 2010 20:18:52 -0800
Received: from DF-G14-02.exchange.corp.microsoft.com (157.54.87.56) by DF-H14-02.exchange.corp.microsoft.com (157.54.78.140) with Microsoft SMTP Server (TLS) id 14.1.255.3; Thu, 16 Dec 2010 20:18:52 -0800
Received: from PB1EHSOBE001.bigfish.com (131.107.86.173) by mail7.exchange.microsoft.com (131.107.1.27) with Microsoft SMTP Server (TLS) id 14.1.218.15; Thu, 16 Dec 2010 20:18:51 -0800
Received: from mail2-pb1-R.bigfish.com (10.10.80.65) by PB1EHSOBE001.bigfish.com (10.10.80.22) with Microsoft SMTP Server id 14.1.225.8; Fri, 17 Dec 2010 04:20:12 +0000
Received: from mail2-pb1 (localhost.localdomain [127.0.0.1]) by mail2-pb1-R.bigfish.com (Postfix) with ESMTP id 1613EE50064 for <ietf-krb-wg@anl.gov.FOPE.CONNECTOR.OVERRIDE>; Fri, 17 Dec 2010 04:27:07 +0000 (UTC)
X-SpamScore: -13
X-BigFish: PS-13(zz4015L1fa4LzzdafM1202hzzz31h2a8h)
X-Forefront-Antispam-Report: KIP:(null); UIP:(null); IPV:SKI; H:BL2SDF0103HT001.namsdf01.sdf.exchangelabs.com; R:internal; EFV:INT
Received: from mail2-pb1 (localhost.localdomain [127.0.0.1]) by mail2-pb1 (MessageSwitch) id 1292560026709124_19349; Fri, 17 Dec 2010 04:27:06 +0000 (UTC)
Received: from PB1EHSMHS004.bigfish.com (unknown [10.10.80.65]) by mail2-pb1.bigfish.com (Postfix) with ESMTP id A35C08E804E; Fri, 17 Dec 2010 04:27:06 +0000 (UTC)
Received: from BL2SDF0103HT001.namsdf01.sdf.exchangelabs.com (65.55.126.28) by PB1EHSMHS004.bigfish.com (10.10.80.61) with Microsoft SMTP Server (TLS) id 14.1.225.8; Fri, 17 Dec 2010 04:19:49 +0000
Received: from BL2SDF0103MB009.namsdf01.sdf.exchangelabs.com ([169.254.2.82]) by BL2SDF0103HT001.namsdf01.sdf.exchangelabs.com ([10.6.208.74]) with mapi id 14.01.0225.022; Fri, 17 Dec 2010 04:16:36 +0000
From: Larry Zhu <lzhu@exchange.microsoft.com>
To: "ietf-krb-wg@anl.gov" <ietf-krb-wg@anl.gov>
Thread-Topic: draft-ietf-krb-wg-otp-preauth-13 PROTO write-up comments
Thread-Index: AcudnB1MDHaqaFZGQU6qpwXbQNM11Q==
Date: Fri, 17 Dec 2010 04:16:34 +0000
Message-ID: <E8A97CB9E3BDF945B239B0FD4F532667108344D7@BL2SDF0103MB009.namsdf01.sdf.exchangelabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.6.208.236]
x-ms-exchange-transport-rules-loop: 0
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2SDF0103HT001.namsdf01.sdf.exchangelabs.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%45$Dn%ANL.GOV$RO%2$TLS%5$FQDN%exchange.microsoft.com$TlsDn%*.exchange.microsoft.com
X-FOPE-CONNECTOR: Id%45$Dn%RSA.COM$RO%2$TLS%5$FQDN%exchange.microsoft.com$TlsDn%*.exchange.microsoft.com
X-CrossPremisesHeadersPromoted: DF-G14-02.exchange.corp.microsoft.com
X-CrossPremisesHeadersFiltered: DF-G14-02.exchange.corp.microsoft.com
X-OriginatorOrg: exchange.microsoft.com
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-13 PROTO write-up comments
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov

While preparing the PROTO write-up for draft-ietf-krb-wg-otp-preauth-13, I have the following comments:

1) Nits: Section 1.2 page 4, s/the standard Reply Key/the classic Reply Key (as defined in RFC4120)/. The word "standard" is overloaded in this context though the same phrase would sound perfectly fine anywhere else. This is just a suggestion and the same applies to the rest of my comments with regarding to the word "classic" vs "standard.
2) Nits: section 3.2 page 9, ditto s/standard/classic/.
3) Nits: section3.2, page 9, can you please upper case KDC in "kdc-authentication", as "KDC-authentication".
4) Grammar: section 3.2, page 9, s/PA-OTP-CHALLENGE that do not have the set the/ PA-OTP-CHALLENGE that do not have the/, i.e. extra "the set" seems to be just a copy&paste error.
5) Nits: section 3.3 page 11, at the very end, s/if the algorithm identifiers do not conform/if none of the algorithm identifiers conforms/.
6) Section 3.4, page 13. If kdc-authentication is required then a PA-OTP-REQUEST containing an otp-value must be rejected. This discusses the KDC side of verifying the preauth-data, how does the KDC know if KDC-authentication is required. Isn't that KDC-authentication is a client side thing?
7) Nits: section 3.4, page 14, s/standard encrypted timestamp/classic encrypted timestamp/.
8) Section 3.4, page 14, the expiration time of the OTP account. This text introduces a new concept "OTP account". Does this imply a separate life-time management is required or recommended for OTP usage? Can you please clarify?
9) Section 3.4, page 14, the current text says "it SHOULD return the same response as for a non-OTP expired password", first, what does it mean by "non-OTP expired password", does it imply there may exist an OTP expired password, secondly, and is it intentional that the KDC is not returning KDC_ERR_PIN_EXPIRED in this case?
10) Section 4.1,page 30,  for consistency please add a ',' at the end of "-pin-not-required(4)'.
11) Section 4.1, page 18, s/both flags MUST NOT be set and the client MUST regard/ both flags MUST NOT be set, or the client MUST regard/.
12) Section 4.3, page 23, for consistency, please remove the comma at the end of "-mandatory(2)," so that it looks like "--mandatory(2)" .
13) Section 6.1, this section explains MITM can choose the session key when anonymous PKINIT is used. That is no longer true with anonymity draft 12 (the latest). Can this be updated? I believe Sam raised this issue during the last WGLC on -12. Can you please summarize the discussion and the conclusion?
14) Grammar: appendix b4, s/The Client generates Client Key Reply Key as described in/ The Client generates the Client Key and the Reply Key as described in/
15) Appendix b4, page 39, s/proceed as with the standard sequence/proceed as with the classic sequence as defined in RFC4120/.
16) Section 2.3, on top of page 7,  "as described above". I believe what was described above was removed. You can say "similarly as illustrated in RFC3244" and add a non-normative reference to RFC3244.
17) I have the opinion that the reference to PKINIT and anonymity draft should be normative. Do you have good reasons otherwise?
18) Section 3.6, page 16, the current text says that "the salt SHALL be the default salt for the principal requested in the AS-REQ". I do not think "default salt for the principal" is defined in existing standards or in this document. I can see a few possibilities to address this issue. A) we might need to have a protocol change, for example, we can add the optional "salt" field of KerberosString type in the OTP challenge message and allow the client to retry if it got it wrong when the two-pass variant; B) you can simply say that the salt is an empty string if the OTP value is already salted when computed from a secret; C) go back to draft 12 and I do agree that approach in -12 can create an unnecessary pain point. 
19) draft-ietf-keyprov-pskc has been published as RFC 6030.
20) I was able to compile the ASN module in appendix A except the latest 3 lines before the "end", ignoring the blank line right before that. Can you please confirm this module passes a modern ASN1 compiler?

Draft 13 contains significant changes from draft 12 mostly due to WGLC comments. The quality of the document has been significantly improved. Out of these, issue 18 must be addressed before the document can move forward but overall the document is very close. In order to allow the document progress quickly, I just started another WGLC on 13 together with these comments. Taking into account of the holidays at this time of the year, I have extended the last call to cover 3 weeks instead of the normal 2 week length.

Thanks,
--Larry

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

v2.23.0 | Report a Bug | By Email