IETF Logo Mail Archive

[Ietf-krb-wg] Notes from Kerberos WG meeting at IETF77 (drafty)

Thomas Hardjono <hardjono@MIT.EDU> Tue, 30 March 2010 18:38 UTC

Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C8CB3A6957 for <ietfarch-krb-wg-archive@core3.amsl.com>; Tue, 30 Mar 2010 11:38:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.518
X-Spam-Level:
X-Spam-Status: No, score=-2.518 tagged_above=-999 required=5 tests=[AWL=0.350, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TEc4OZbo4ssU for <ietfarch-krb-wg-archive@core3.amsl.com>; Tue, 30 Mar 2010 11:38:31 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id 44E773A68DF for <krb-wg-archive@lists.ietf.org>; Tue, 30 Mar 2010 11:38:31 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 6D90F42; Tue, 30 Mar 2010 13:39:00 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id B81D539; Tue, 30 Mar 2010 13:38:57 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 5033A2CC073; Tue, 30 Mar 2010 13:38:57 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id E32A880E29 for <ietf-krb-wg@lists.anl.gov>; Tue, 30 Mar 2010 13:38:55 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id CC5B57CC05E; Tue, 30 Mar 2010 13:38:55 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06042-08; Tue, 30 Mar 2010 13:38:55 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id A3B9D7CC056 for <ietf-krb-wg@lists.anl.gov>; Tue, 30 Mar 2010 13:38:55 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Am8CAObhsUsSB0QknGdsb2JhbACbLhUBAQEBAQgLCAkRIrgKiFuFAASOHw
X-IronPort-AV: E=Sophos;i="4.51,335,1267423200"; d="scan'208";a="39462820"
Received: from dmz-mailsec-scanner-7.mit.edu ([18.7.68.36]) by mailgateway.anl.gov with ESMTP; 30 Mar 2010 13:38:55 -0500
X-AuditID: 12074424-b7b9dae000002832-ee-4bb2453f3cb3
Received: from mailhub-auth-3.mit.edu (MAILHUB-AUTH-3.MIT.EDU [18.9.21.43]) by dmz-mailsec-scanner-7.mit.edu (Symantec Brightmail Gateway) with SMTP id 5C.66.10290.F3542BB4; Tue, 30 Mar 2010 14:38:55 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-EXCHANGE-1.MIT.EDU [18.9.28.15]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id o2UIcswY026620; Tue, 30 Mar 2010 14:38:54 -0400
Received: from w92exedge3.EXCHANGE.MIT.EDU (W92EXEDGE3.EXCHANGE.MIT.EDU [18.7.73.15]) ) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id o2UIcq6c010294; Tue, 30 Mar 2010 14:38:54 -0400
Received: from oc11exhub4.exchange.mit.edu (18.9.3.14) by w92exedge3.exchange.mit.edu (18.7.73.15) with Microsoft SMTP Server (TLS) id 8.1.393.1; Tue, 30 Mar 2010 14:38:44 -0400
Received: from EXPO10.exchange.mit.edu ([18.9.4.15]) by oc11exhub4.exchange.mit.edu ([18.9.3.14]) with mapi; Tue, 30 Mar 2010 14:38:51 -0400
From: Thomas Hardjono <hardjono@MIT.EDU>
To: "jhutz@cmu.edu" <jhutz@cmu.edu>, Larry Zhu <larry.zhu@microsoft.com>
Date: Tue, 30 Mar 2010 14:38:49 -0400
Thread-Topic: Notes from Kerberos WG meeting at IETF77 (drafty)
Thread-Index: AcrQOD1OVyO2v4bKR3Wsc09s8W0dig==
Message-ID: <DADD7EAD88AB484D8CCC328D40214CCD0167972D86@EXPO10.exchange.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: "ietf-krb-wg@lists.anl.gov" <ietf-krb-wg@lists.anl.gov>
Subject: [Ietf-krb-wg] Notes from Kerberos WG meeting at IETF77 (drafty)
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov

Folks, Jeff & Larry,

Here are my drafty notes from the Kerberos WG meeting last week at IETF77. Please check/verify that I did not miss anything or misunderstood items.

cheers,

/thomas/


------------------------------------------------------------------------
Minutes/Notes from Kerberos WG (IETF77) - DRAFT
March 24th, 2010

(I) AGENDA:
   (a) Preliminaries.
   (b) Document Status.
   (c) Last Call items.
   (d) Moving Forward.
   (e) Open Mic.


(II) DOCUMENT STATUS

(a) Cross Realm Problem statement
    - Approved, in Editor's queue.

(b) Preauth Framework
    - Will be on IESG Telechat in 2 weeks (April/8/2010).

(c) StartTLS
    - Currently in IESG Review.
    - Waiting also on outcome on discussions regarding
      validating server certs (mailing-list discussion).
    - WG Consensus: layering AS_REQ over TLS is generally
      a good idea (ie. better than nothing).

(d) IAKERB
    - Completed WG Last Call a few months ago.
    - Waiting for JHutz for proto eval.

(e) Naming/Anonymous
    - Draft has expired.
    - Anonymous draft has also expired now.
    - Sam believes all issues now resolved.
    - Larry to issue new versions of both drafts.
      + The Naming draft needs a new WG Last Call.
      + Anonymous draft just needs update in version-number.


(III) LAST CALL ITEMS

(a) Kerberos Information Model (v.07)

    - Update from Leif:
      + Leif will provide update v.08
      + Principal realms must be (will be) single-valued.
      + Will do English language clean-up.

    - Q: Should principal realms be single-valued?

      Sam: Its logical to associate multiple names to the realm.
           - PrincipalName is multivalued (even in 1 realm).
           - but Realm is multivalued.

      GregH: Consensus is that Principal Name must be multi-valued.
             But does not imply whether principal name includes
             a realm name.

      Discussion:....

      Leif: a principal can have multiple names even when it belongs
            to one realm (ie. folding name into realm).

    - Consensus: hum please...
      + Yes (majority)
      + No strong objection.
      + Slight objection from Hank Holtz.


(b) Kerberos Information Model: Open Issues

    - Slides: http://www.ietf.org/proceedings/10mar/slides/krb-wg-1.pdf

    - Two remaining open items:
      + Greg Hudson: some implementations don't need canonical principalName 
        for salting keys.
      + Greg Hudson: no need to separate keys from the rest of the model.

    - Q: Larry: We still need some semantics to be built into the name for the
                enterprise case.
      A: Leif: but this issue is not part of the model.
         Sam: agrees with Leif.

    - Consensus checks:
      (i) Update the text of the draft to clarify that implementations
          do not necessarilly require the canonical principalName 
          for salting keys ?

          Consensus call: weak hum, no rejects, 2 Yes on Jabber.
          Action Item: Leif to update the text to clarifiy this point.

      (ii) Separating keys from the rest of the model?

          Discussion:
          - GregH is not arguing for separating keys, but only that
            better text is needed to justify this. (Section 6.2.3)

          - Leif: could people please send suggested text to the mailing-list
            or to Leif. Note that WGLC is April 9th 2010.
 
          - JHutz: continue discussion on this topic on the mailing-list.


(IV) NEW DOCUMENTS

(a) Ticket extensions draft
    - Adopted as WG work item.
    - Love will modify doc name at next revision/update.

(b) Deprecating DES (des-die-die-die)
    - Adopted as WG work item.
    - Love says its ready for WGLC.
      + Sam: just publish it.
      + Hank: just publish it.
    - Conclusion: will begin WG Last Call as soon as possible.

(c) DHCPv6 Option
    - Adopted as WG work item.
    - Will begin WG Last Call as soon as possible.


(V) MOVING FORWARD

(a) IANA Considerations (draft-lha-krb-wg-some-numbers-to-iana-00)

    - JHutz: would anyone object to this document?

      + Sam: Agree that we need to turn over numbers to IANA but
             uncomfortable in the current registration process.
             This should not imply level of consensus in the work.

      + JHutz: "Registration process will be based on WG consensus".
            - We need to discuss registration procedure on the mailing-list
              until the next IETF meeting.  However, WG will adopt this doc
              as WG work-item.


(b) KDC Schema (ie. Kadmin-by-LDAP)

    - No documents yet.

    - JHutz: Anyone interested in this work? Who wants to deploy?

        Hank: may be Howard Chu (OpenLDAP) would be interested.
        Leif: lets ask Howard.
        Love: Howard has already started work (backend store).
        JHutz: But backend store is not in WG charter.
        Leif: Ask Simo & Howard to submit their work as draft.
              - Update the draft-chu-ldap-kdc-schema-00 and resubmit.


(c) Camellia Enctype (draft-krb-wg-kanno-camellia-00)

    - Thomas: Japanese Gov will soon (around 2013) mandate
           two ciphers to be supported for Japanese government use
           (namely AES and Camellia).  Thus makes sense to address
           Cammelia now. IPsec WG and TLS WG already have WG work items
           on Camellia.

    - JHutz: Should we adopt this as WG work item?

    - Sam: we should adopt Camellia generally but prefer 
           one Standards Track mode only. Need input from our
           Standards Track expert (Ken Raeburn).

    - Shawn: CTS mode is known to have issues.

    - JHutz: Need to read IANA policy.  It needs expert review
             and registration process.

    - Consensus check: Should WG adopt Camellia work?

         +  Hank: Yes in favor.
         +  Shawn: What about quality of cipher?
            - Thomas: same level of quality as AES.

         + Sam: should just choose one mode of Camellia
                for Standards Track based on quality.

         + Tim: Correcting Thomas, Camellia was not one of 
                the 15 candidates for AES competition.

         + JHutz: Consensus call based on the assumption that 
              there will be one Standards Track. 
              Shall the WG adopt work on Cammelia enctype for 
              standards track?:

              - In favor: medium hum.
              - Against: low hum
              - Who objects: 1 person (Mike Boyle) objects on the basis of 
                too many enctypes in Kerberos. Fewer algorithms is better. 
                Objection has nothing to do with quality of Camellia.

         + JHutz: IPR Disclosure from NTT has been received by WG chairs
                and Security ADs.


(VI) OPEN MIC

(a) Hank Holtz on KX509
    - Has a drafty doc on KX509
    - Work is based on UMich previous work, thus may have some IP issues.
    - KX509 is a cert acquisition protocol for a client to get a client-cert.

    - Questions/comments:
      (i) GregH:  Are these short-term certs ("junk certs")?
          Hank: Not neccesarilly. Can be used for long life certs.

      (ii) Hank to all: which WG should this work go into?
           Tim: Get clearance for the work. And then bring to 
                both PKIX WG and Kerberos WG.

      (iii) Love: Does not oppose this work, but notes that current KX509 
                  only supports RSA cryptosystem.
            Hank: Shall update the doc to include other ciphers.

      (iv) Scott Cantor: Is this an application layer protocol?
           Hank: - KX509 does not modify Kerberos or PKI.
                 - Provides symmetric opposite of PKINIT. 
                   It's a "bridge" protocol.

      (v) JHutz: It is still within scope of the Kerberos WG.
                 Its not the first time the WG taken-up similar work.

    - Action Item: Chairs will get together with Hank and Tim to discuss further.


(b) Comment from GregH on Jabber about GCM-based enc type.

------------------------------------------------------------------------












_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

v2.23.0 | Report a Bug | By Email