Re: [Ietf-krb-wg] [secdir] SecDir review of draft-ietf-krb-wg-kerberos-referrals-14
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 25 September 2012 17:36 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD5F021F88C3 for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Tue, 25 Sep 2012 10:36:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.512
X-Spam-Level:
X-Spam-Status: No, score=-104.512 tagged_above=-999 required=5 tests=[AWL=2.087, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGqRA-uA3vZU for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Tue, 25 Sep 2012 10:36:28 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id D6C8B21F88A3 for <krb-wg-archive@lists.ietf.org>; Tue, 25 Sep 2012 10:36:27 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 5274E293; Tue, 25 Sep 2012 12:36:27 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 1C556281; Tue, 25 Sep 2012 12:36:24 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id D401854C002; Tue, 25 Sep 2012 12:36:24 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 9A8A554C001 for <ietf-krb-wg@lists.anl.gov>; Tue, 25 Sep 2012 12:36:22 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 7B3837CC0D7; Tue, 25 Sep 2012 12:36:22 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29670-03; Tue, 25 Sep 2012 12:36:22 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 31A9A7CC0D8 for <ietf-krb-wg@lists.anl.gov>; Tue, 25 Sep 2012 12:36:22 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhABAPPqYVCG4iA4kWdsb2JhbABFgm68FwEBAQEJCwsHFAUigiABAQEBAwEBAT0BASkDBAYBAQ8LGAkWDwkDAgECARUwBg0BBQIBARqHZwEKpSmDKYEJAQWPXgaLGoZCln6EOY1C
X-IronPort-AV: E=Sophos;i="4.80,484,1344229200"; d="scan'208";a="2537807"
Received: from hermes.scss.tcd.ie (HELO scss.tcd.ie) ([134.226.32.56]) by mailgateway.anl.gov with ESMTP; 25 Sep 2012 12:36:21 -0500
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id C6A6D17147C; Tue, 25 Sep 2012 18:36:17 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1348594577; bh=07zuSma7ddAh6l lrKXnIjjLHUneD+TbmNGNFy8lvtj8=; b=gOQ2dMBy/3veTj0sLb/BT5/CSZvw/P yDvAmoMSzACPE1S0FbEenFcr2CxiQgy1gQAmCboDrzHAASKE9Fh3GhGUaEd8IAfT 5IZRvvkFlN4qwBePVz78H8HYspl6HtYysmUPIt7/Y0Ji0TXobeoa+yzXkFdJJNk8 ryZOnLxByc6G7wbnm+gBCzwRnPvg0Cf9wqfA7eSZP7cKdTMwFrI3haH2oryoNndS 0/mMrOZ5T3BUWB7CEDgR9pRPTXzOjyIEMQR0DKyyQUNQbNRZcgldyO/14sR4M9o+ 4EFMbG69EFuXIwMUJAWZK0YRnPPiF1ud/Mi7cWz0j10Z5C5l9FvKwMXA==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id TQomB1YVHBkR; Tue, 25 Sep 2012 18:36:17 +0100 (IST)
Received: from [IPv6:2001:770:10:203:5c16:c238:b5a:f540] (unknown [IPv6:2001:770:10:203:5c16:c238:b5a:f540]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 03C70171476; Tue, 25 Sep 2012 18:36:15 +0100 (IST)
Message-ID: <5061EB90.3080409@cs.tcd.ie>
Date: Tue, 25 Sep 2012 18:36:16 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
To: Yaron Sheffer <yaronf.ietf@gmail.com>
References: <4FBFAE5F.8010305@gmail.com> <505F7514.8030908@gmail.com> <5061E4AE.2030701@ieca.com> <5061E628.2070708@gmail.com>
In-Reply-To: <5061E628.2070708@gmail.com>
X-Enigmail-Version: 1.4.4
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: Sean Turner <turners@ieca.com>, draft-ietf-krb-wg-kerberos-referrals.all@tools.ietf.org, "krb-wg mailing list (ietf-krb-wg@lists.anl.gov)" <ietf-krb-wg@lists.anl.gov>, secdir@ietf.org
Subject: Re: [Ietf-krb-wg] [secdir] SecDir review of draft-ietf-krb-wg-kerberos-referrals-14
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov
Re-tx'ing so the list see the secdir review. S. On 09/25/2012 06:13 PM, Yaron Sheffer wrote: > Nope, but that's per the process described in > http://trac.tools.ietf.org/area/sec/trac/wiki/SecDirReview. The WG > chairs are supposedly on the ".all" alias. > > Thanks, > Yaron > > On 09/25/2012 07:06 PM, Sean Turner wrote: >> Did these ever make it to the krb-wg mailing list? >> >> spt >> >> On 9/23/12 4:46 PM, Yaron Sheffer wrote: >>> I have reviewed this document as part of the security directorate's >>> ongoing effort to review all IETF documents being processed by the IESG. >>> These comments were written primarily for the benefit of the security >>> area directors. Document editors and WG chairs should treat these >>> comments just like any other last call comments. >>> >>> This document adds a "referral" mechanism to Kerberos, where a client >>> (e.g. an end user) can use a generic enterprise-wide name, and have it >>> mapped to one that is specific to its correct realm; similarly, a >>> generic name can be used for a service, and the KDC will respond with >>> the correct principal name (and realm) for the service. >>> >>> Summary >>> >>> It is obvious that the analysis in the document's Security >>> Considerations is very thorough. Unfortunately I do not have the >>> Kerberos expertise (which apparently requires knowledge of specific >>> implementations' quirky behavior) to determine if all relevant cases >>> were covered. >>> >>> A cursory reading of the Considerations is quite discouraging: several >>> security mechanisms exist but they are not universally applied, some >>> implementations do not even follow the base protocol etc. I can only >>> hope that modern Kerberos implementations have improved in the 11 years >>> since this protocol first got started. >>> >>> Details >>> >>> - Sec. 4: "trusted name service" is not well defined. In fact it can be >>> construed as a euphemism for "enterprise-internal DNS", which is advised >>> against earlier. >>> - 4.1, last paragraph: is there no possibility to an "issuing realm" to >>> "publish" ownership of some resources to the consuming realm, and thus >>> effectively claim those resources? >>> - 6. In the authorization ASN.1 snippet, what is the value of MAX? >>> - 7, first paragraph: when the client sends the request to example.com, >>> shouldn't it ensure first that it has a pre-existing (pre-configured) >>> trust relationship with example.com? >>> - 10: the last paragraph ("Accordingly") is a bit too vague and probably >>> does not provide implementors with sufficient advice. >>> - 10: overall it is not clear if this section also applies to caching of >>> client referrals. >>> - 11: surprise! FAST (which was an optional SHOULD in Sec. 6) is now a >>> MUST! Even if it's just FAST negotiation that's a MUST, but FAST itself >>> (or an equivalent) is just a SHOULD, this still doesn't make a lot of >>> sense, and should at least be explained. >>> - 11: this section defines a new structure, but only explains a few of >>> its members. Please mention where all the other members are defined (RFC >>> 4120?). By the way, key-expiration is said to be deprecated in RFC 4120, >>> but what do I know. >>> - General: the document is said to update RFC 4120. A short section with >>> a summary of the specific updates would be very useful, so that >>> implementors can find out if they need to change anything, even if they >>> do NOT support the Referral functionality. (This is really a shortcoming >>> of the IETF notion of "RFC X updates RFC Y.") >>> - Appendix A: in "current implementation", do you mean post-Win 2003? >>> Please clarify. >>> - Appendix A: a reference to the MS documentation might be appropriate: >>> http://msdn.microsoft.com/en-us/library/cc233855(v=prot.13).aspx >>> >>> Thanks, >>> Yaron >>> >>> _______________________________________________ >>> secdir mailing list >>> secdir@ietf.org >>> https://www.ietf.org/mailman/listinfo/secdir >>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview >>> > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview > > _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- Re: [Ietf-krb-wg] [secdir] SecDir review of draft… Stephen Farrell