IETF Logo Mail Archive

Re: [Ietf-krb-wg] Kitten and Kerberos WG Merger - New Charter

Simon Josefsson <simon@josefsson.org> Fri, 04 January 2013 11:19 UTC

Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 151D821F8EEE for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Fri, 4 Jan 2013 03:19:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.254
X-Spam-Level:
X-Spam-Status: No, score=-103.254 tagged_above=-999 required=5 tests=[AWL=3.345, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2maL9VzgQB4a for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Fri, 4 Jan 2013 03:19:03 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id E860B21F8EEA for <krb-wg-archive@lists.ietf.org>; Fri, 4 Jan 2013 03:19:02 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 1EF9C70; Fri, 4 Jan 2013 05:19:02 -0600 (CST)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 52D5B59; Fri, 4 Jan 2013 05:19:00 -0600 (CST)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 2947354C041; Fri, 4 Jan 2013 05:19:00 -0600 (CST)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 3D8BA54C03E for <ietf-krb-wg@lists.anl.gov>; Fri, 4 Jan 2013 05:18:59 -0600 (CST)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 207BC7CC0AF; Fri, 4 Jan 2013 05:18:59 -0600 (CST)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30955-06; Fri, 4 Jan 2013 05:18:59 -0600 (CST)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id E1FEF7CC08A for <ietf-krb-wg@lists.anl.gov>; Fri, 4 Jan 2013 05:18:58 -0600 (CST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ap4EANO55lDVc7Ot/2dsb2JhbABFvWZzgh4BAQQBVhYKAwULCyEPBBIPAQQZDCQTiA0KCLVtjHt3gycDlgyBHI8sgnU
X-IronPort-AV: E=Sophos;i="4.84,409,1355119200"; d="scan'208";a="9116756"
Received: from static-213-115-179-173.sme.bredbandsbolaget.se (HELO yxa-v.extundo.com) ([213.115.179.173]) by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 04 Jan 2013 05:18:57 -0600
Received: from latte.josefsson.org (host-95-192-63-171.mobileonline.telia.com [95.192.63.171]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id r04BIjSW023814 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 4 Jan 2013 12:18:48 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Shawn Emery <shawn.emery@oracle.com>
References: <50E6966D.9040704__49484.1541782536$1357289172$gmane$org@oracle.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:130104:kitten@ietf.org::hS9LjaY5M207Y0dM:0BBZ
X-Hashcash: 1:22:130104:shawn.emery@oracle.com::HnazTXXPx7bJKxld:E44V
X-Hashcash: 1:22:130104:ietf-krb-wg@lists.anl.gov::D+byjRdrEQvT2Pva:OhyS
Date: Fri, 04 Jan 2013 12:18:39 +0100
In-Reply-To: <50E6966D.9040704__49484.1541782536$1357289172$gmane$org@oracle.com> (Shawn Emery's message of "Fri, 04 Jan 2013 01:44:29 -0700")
Message-ID: <87mwwp19io.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux)
MIME-Version: 1.0
X-Virus-Scanned: clamav-milter 0.97.3 at yxa-v
X-Virus-Status: Clean
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: "kitten@ietf.org" <kitten@ietf.org>, ietf-krb-wg@lists.anl.gov
Subject: Re: [Ietf-krb-wg] Kitten and Kerberos WG Merger - New Charter
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov

Shawn Emery <shawn.emery@oracle.com> writes:

> Common Authentication Technology Next Generation (kitten)
> ---------------------------------------------------------
>
>  Charter
...

> This charter subsumes the Kerberos WG under the auspices of the kitten WG.
> Therefore the following charter text contains both kitten and Kerberos WG items.

I suggest to remove this paragraph.  I don't see significant value in
having that in the WG charter, and it seems confusing for anyone not
familiar with the history.

> In detail, both existing and new work items include:
>
> Existing Working Group Items
> ---------------------------
> SASL Mechanism for OAuth (draft-ietf-kitten-sasl-oauth)

Good idea -- will review, could contribute.

> SASL Mechansim for SAML-EC (draft-ietf-kitten-sasl-saml-ec)

Good idea -- will contribute & review.

> GSS-API IANA Registry (draft-ietf-kitten-gssapi-extensions-iana)

No objection.

> KDC Model (draft-ietf-krb-wg-kdc-model)

Long overdue.  I have always preferred that this document shipped
together with an instanciation of it, such as an LDAP schema.  I based
my KDC backend database on an earlier version of this draft, but the
document has changed since then.  Without implementations it is
difficult to know whether there are flaws in the abstract model.

> PKINIT Hash Agility (draft-ietf-krb-wg-pkinit-alg-agility)
> Kerberos IANA Registry (draft-ietf-kitten-kerberos-iana-registries)
> Initial and Pass Through Authentication in Kerberos 5 (draft-ietf-krb-wg-iakerb)
> Unencrypted Portion of Ticket Extensions (draft-ietf-krb-wg-ticket-extensions)

No objection.

> GSS-API Related
> ---------------
> Provide new interfaces for credential management, which include the
>       following:
>        initializing credentials
>        iterating credentials
>        exporting/importing credentials

Good idea -- will review, could contribute.

> Negotiable replay cache avoidance

No objection.

> Define interfaces for better error message reporting.

I'd rather not spend time on that.  Do we have a problem statement to
argue why this is important?

> Specify an option for exporting partially-established security
>       contexts and possibly a utility function for exporting security
>       contexts in an encrypted form, as well as a corresponding utility
>       function to decrypt and import such security context tokens.

Good idea - may review.

> Specify one-time password / two-factor authentication needs for SASL
>       applications.  This could be achieved through an explicit new
>       GSS-API/SASL mechanism (e.g.,
>       http://tools.ietf.org/html/draft-josefsson-kitten-crotp-00) or if
>       the consensus is that due to usability reasons, it is preferable to do
>       OTP/2FA through an higher level protocol
>       (Kerberos/OpenID/SAML/SAML20EC/EAP?) then prepare a document explaining
>       the usability problem and provide pointers for implementers.

Good idea -- will contribute.

> Kerberos Related
> ----------------
> Prepare and advance one or more standards-track specifications which
>       update the Kerberos version 5 protocol to support non-ASCII principal
>       and realm names, salt strings, and passwords, and localized error
>       reporting.  Maximizing backward compatibility is strongly desired.

Localized error reporting: good idea -- will contribute.  The draft for
it has been ready for a long time.

Regarding the rest I would prefer to wait until other protocols have
deployed PRECIS to gain experience with it.  Given the experience with
SASLprep in SASL it was fortunate that we didn't go that route with
Kerberos.  I don't want Kerberos to end up in a similar situation only
replacing SASLprep with PRECIS.

> Prepare, review, and advance standards-track and informational
>       specifications defining new authorization data types for carrying
>       supplemental information about the client to which a Kerberos ticket
>       has been issued and/or restrictions on what the ticket can be used
>       for. To enhance this ongoing authorization data work, a container
>       format supporting the use cases of draft-ietf-krb-wg-pad may be
>       standardized.

Good idea.

> Prepare a standards-track protocol to solve the use cases addressed
>       by draft-hotz-kx509-01 including new support for digital signatures.

Good idea.

> Today Kerberos requires a replay cache to be used in AP exchanges in
>       almost all cases.  Replay caches are quite complex to implement
>       correctly, particularly in clustered systems. High-performance replay
>       caches are even more difficult to implement.  The WG will pursue
>       extensions to minimize the need for replay caching, optimize replay
>       caching, and/or elide the need for replay caching.

Good idea.

> Prepare, review, and advance standards-track and informational
>       specifications defining use of new cryptographic algorithms in the
>       Kerberos protocol using the RFC3961 framework, on an ongoing
>       basis.  

Good idea -- will review.

>       Cryptographic algorithms intended for standards track status must be of
>       good quality, have broad international support, and fill a definite need.

IMHO this sentence is weasel-wording to motivate arbitrary decisions to
match some people's crypto preferences.  The IETF already have policies
around crypto (for example RFC 1984) that are sufficient motivation to
turn down obviously bad proposals.  When a proposal is not obviously
bad, I belive the WG should be able to review any proposal with
non-judgemental eyes.

> Prepare, review, and advance standards-track and informational
>       specifications of new pre-authentication types for the Kerberos
>       protocol, on an ongoing basis.

Good idea.

> Prepare, review, and advance standards track updates and extensions to RFC4121,
>       as needed and on an ongoing basis.

Good idea.

> Goals and Milestones
> --------------------
>
> Jan 2013	draft-ietf-kitten-sasl-oauth to IESG
> Jan 2013	draft-ietf-krb-wg-kdc-model to IESG
> Feb 2013	draft-ietf-krb-wg-pkinit-alg-agility to IESG
> Feb 2013	draft-ietf-kitten-sasl-saml-ec to IESG
> Mar 2013	draft-ietf-krb-wg-iakerb to IESG
> Mar 2013	draft-ietf-kitten-gssapi-extensions-iana to IESG
> Apr 2013	draft-ietf-krb-wg-cammac to IESG
> Apr 2013	draft-ietf-kitten-kerberos-iana-registries to IESG
> May 2013	draft-ietf-krb-wg-pad to IESG
> May 2013	Adopt work on one or more items for GSS-API cred management
> Jun 2013	Adopt work on better error reporting in the GSS-API
> Jun 2013	Adopt work on exporting partially-established GSS-API contexts
> Jul 2013	draft-ietf-krb-wg-ticket-extensions to IESG
> Jul 2013	Adopt work on the GSS-API for replay cache avoidance

I believe the targets are unrealistically optimistic, however my
perception is that the only purpose for having dates in the milestones
is to enable IESG to put pressure on WG's to deliver.  So I support
setting an aggresive timeline.

/Simon
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

v2.23.0 | Report a Bug | By Email