IETF Logo Mail Archive

[Ietf-krb-wg] AD review of draft-ietf-krb-wg-kerberos-referrals-14

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 13 September 2012 00:46 UTC

Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A08C421F865D for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Wed, 12 Sep 2012 17:46:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.581
X-Spam-Level:
X-Spam-Status: No, score=-104.581 tagged_above=-999 required=5 tests=[AWL=2.018, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQFL2osiUWkZ for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Wed, 12 Sep 2012 17:46:50 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 5B51B21F865C for <krb-wg-archive@lists.ietf.org>; Wed, 12 Sep 2012 17:46:50 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id BE4931485; Wed, 12 Sep 2012 19:46:49 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id B031B955; Wed, 12 Sep 2012 19:46:47 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 701B381052; Wed, 12 Sep 2012 19:46:47 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 7457581050 for <ietf-krb-wg@lists.anl.gov>; Wed, 12 Sep 2012 19:46:46 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 5515D7CC0F5; Wed, 12 Sep 2012 19:46:46 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02472-09; Wed, 12 Sep 2012 19:46:46 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 2F97F7CC0E4 for <ietf-krb-wg@lists.anl.gov>; Wed, 12 Sep 2012 19:46:46 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiwBAO4rUVCG4iA4e2dsb2JhbABFvAwBARYmBSKCIkUBATYCOw0BCBgDAgECAUsNCAEBiAkEqA+EMAEFj1EGji8BgyKbLhONJ4Fb
X-IronPort-AV: E=Sophos;i="4.80,413,1344229200"; d="scan'208";a="1663404"
Received: from hermes.scss.tcd.ie (HELO scss.tcd.ie) ([134.226.32.56]) by mailgateway.anl.gov with ESMTP; 12 Sep 2012 19:46:45 -0500
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 1B77317147A for <ietf-krb-wg@lists.anl.gov>; Thu, 13 Sep 2012 01:46:43 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:subject:mime-version :user-agent:from:date:message-id:received:received: x-virus-scanned; s=cs; t=1347497202; bh=ULbsoZWv7zVhlx2X7WODYAOc saa7ArGbcBNftj+kWRk=; b=2KbvBP26smgc4RjJa15ftdNWYcQKL7li2r0ltWld nLR33J1hHx2Su+zo2liD6uTBV+hynOWf6ov5ZnWQoXFAI+ljJZgR3P4FNu9rgsgh pWuOdEXcH1Z+WBIYBr2rubKamspMhKQB3Bg32bgJRjvU/6nxY2CtmWAMXMgaUfeC ny/Y2oDjJfstCuHYFY6C0L+D6qJuMjqb1BDIBBUMYe4NZpXkY/3KTAqCx/21YxYI LZrRfgnnBo/lIFhIwKxpDHY18qIBoZFtbEVD6U4P9r6XtkiXtiW2JHpEXSa2R7+m WqOcWwitnwKTb0sd4mtY6Qo0QLJxtVjSSMc54j5PCklVRA==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id 9rnT6ocHSOMI for <ietf-krb-wg@lists.anl.gov>; Thu, 13 Sep 2012 01:46:42 +0100 (IST)
Received: from [10.87.48.9] (unknown [86.45.54.101]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 976ED171474 for <ietf-krb-wg@lists.anl.gov>; Thu, 13 Sep 2012 01:46:42 +0100 (IST)
Message-ID: <50512CF2.6090801@cs.tcd.ie>
Date: Thu, 13 Sep 2012 01:46:42 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
To: "krb-wg mailing list (ietf-krb-wg@lists.anl.gov)" <ietf-krb-wg@lists.anl.gov>
X-Enigmail-Version: 1.4.4
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-kerberos-referrals-14
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov

Hi all,

I've done my review of this. Please treat these along with
any other IETF LC comments. I've asked for IETF LC to be
started.

Thanks,
S,

- p10, last para, maybe s/should/ought/ if you don't want
that as a 2119 should? Even without that being a SHOULD, it
seems odd to recommend that the client know about realms, to
the extent that it can differentiate between them, in a spec
whose purpose is to get rid of per-realm configuration from
clients. Is there in fact a missing 2119-level SHOULD here
that also says how to do this with no client config? Or, are
you really assuming that clients won't make any checks, in
which case wouldn't it be better to confess the truth?

- If a KDC receives an AS-REQ with no PA-REQ-ENC-PA-REP or
canonicalize KDC option then I assume that KDC MUST behave
according to 4120. Is that stated explicitly somewhere? Does
there need to be any similar statement about TGS-REQs or TGTs
(since the new padata type is a MAY for TGS-REQs)?

nits:

- more examples would help here, the one in section 8 is
great and more of that would help make this an easier read I
reckon.

- p8, NT-UID could do with a reference or maybe just say
somewhere that "all the name types (NT-*) are defined in RFC
4120"

- p9, Are you saying that all cross-realm uses of
AD-KDC-ISSUED are not "well explored" or just cross-realm
uses of login-aliases? Its not quite clear to which the
SHOULD applies.

- p10, 3rd last para, "used to generate the first referral"
means value used in the first AS-REQ I think? If so, saying
that rather than calling it a referral seems less likely to
mislead. The current text could I guess cause someone to pick
the wrong cname field. Maybe its just me, but I think its odd
to refer to an AS-REQ as a referral. The term referral
suggests a response message to me I guess.

- section 9, s/it including/it includes/?

- p13, "MUST be ignored by the receiving KDC" - I realise
you're talking about the value of the padata type and not the
type, but it reads awfully close to saying that KDCs "MUST
ignore PA-REQ-ENC-PA-REP" whereas you want that a KDC MUST
react to its prescence.

- p13, typo s/The The/The/

- p14, "Because of existing..." that sentence ought not be in
the final RFC so please mark it as such. It'd also be better
to directly ask IANA to do something rather than say "should
be registered." The current text would leave IANA and the RFC
editor wondering about that ought go in the RFC so may as
well fix it now.

- Is "current implementation" still correct in Appendix A?
Just checking in case that's very old text.

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

v2.23.0 | Report a Bug | By Email