[Ietf-krb-wg] FW: New Version Notification for draft-ietf-krb-wg-otp-preauth-13
<gareth.richards@rsa.com> Mon, 27 September 2010 12:35 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B96013A6D14 for <ietfarch-krb-wg-archive@core3.amsl.com>; Mon, 27 Sep 2010 05:35:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B3g3YPF66dLx for <ietfarch-krb-wg-archive@core3.amsl.com>; Mon, 27 Sep 2010 05:35:05 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id 78D583A6B9C for <krb-wg-archive@lists.ietf.org>; Mon, 27 Sep 2010 05:35:05 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 8DF8835; Mon, 27 Sep 2010 07:35:43 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 6EA112B; Mon, 27 Sep 2010 07:35:43 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 3BB6F80035; Mon, 27 Sep 2010 07:35:43 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 0CFC780030 for <ietf-krb-wg@lists.anl.gov>; Mon, 27 Sep 2010 07:35:42 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id DF79A7CC065; Mon, 27 Sep 2010 07:35:41 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03946-01; Mon, 27 Sep 2010 07:35:41 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id B60247CC05E for <ietf-krb-wg@lists.anl.gov>; Mon, 27 Sep 2010 07:35:41 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AtoAAI8soEyA3iAUkWdsb2JhbACiMhUBAQIJCwoHEQUdxTiDEYIzBIo6gwQ
X-IronPort-AV: E=Sophos;i="4.57,243,1283749200"; d="scan'208";a="47998211"
Received: from mexforward.lss.emc.com ([128.222.32.20]) by mailgateway.anl.gov with ESMTP; 27 Sep 2010 07:35:41 -0500
Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id o8RCZeW7008073 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-krb-wg@lists.anl.gov>; Mon, 27 Sep 2010 08:35:40 -0400
Received: from mailhub.lss.emc.com (mailhub.lss.emc.com [10.254.221.253]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor) for <ietf-krb-wg@lists.anl.gov>; Mon, 27 Sep 2010 08:35:36 -0400
Received: from corpussmtp4.corp.emc.com (corpussmtp4.corp.emc.com [10.254.169.197]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id o8RCXU5e020522 for <ietf-krb-wg@lists.anl.gov>; Mon, 27 Sep 2010 08:34:57 -0400
Received: from mxhub01.corp.emc.com ([10.254.141.103]) by corpussmtp4.corp.emc.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 27 Sep 2010 08:33:21 -0400
Received: from MX11A.corp.emc.com ([169.254.1.188]) by mxhub01.corp.emc.com ([10.254.141.103]) with mapi; Mon, 27 Sep 2010 08:33:20 -0400
From: gareth.richards@rsa.com
To: ietf-krb-wg@lists.anl.gov
Date: Mon, 27 Sep 2010 08:33:17 -0400
Thread-Topic: New Version Notification for draft-ietf-krb-wg-otp-preauth-13
Thread-Index: ActeP+Pymz37wWMbRSuGgItvZB20CgAABY3g
Message-ID: <B1371F619AB0A94C9AC73CF2E475485B0206CFAB54@MX11A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
X-OriginalArrivalTime: 27 Sep 2010 12:33:21.0779 (UTC) FILETIME=[2BE8DC30:01CB5E40]
X-EMM-MHVC: 1
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: [Ietf-krb-wg] FW: New Version Notification for draft-ietf-krb-wg-otp-preauth-13
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
I have submitted an update to the OTP pre-auth draft following the recent WG last call.
The main changes are as follows:
1) Updated PIN change (section 2.3) to not return a ticket for the PIN change service but to instead return a KRB_ERR_PIN_EXPIRED
2) KDC Chellenge (Section 3.2)
a) Changed first paragraph to refer to description of KRB-ERROR from draft-ietf-krb-wg-otp-preauth-17
b) Made the control of whether OTPs should be encrypted token specific and so moved the "must-encrypt-nonce" flag from the main PA-OTP-CHALLENGE into the per-token otp-keyInfo
c) Made the hashing of OTP values token specific and so moved the supportedHashAlg and iterationCount elements to the otp-KeyInfo
d) Added text clarifying how the "must-encrypt-nonce", supportedHashAlg and iterationCount elements are set.
e) Since elements are moved from the main PA-OTP-CHALLENGE to the otp-keyInfo, the PA-OTP-CHALLENGE must now contain at least one otp-keyInfo
3) Client Response (section 3.3)
a) Expanded text to clarfify how the client handles the collection of the PIN
b) Added text to clarify how the client handles challenge-response tokens and the "combine" flag
c) Clarified when the OTP value is included in the response.
d) Clarified how the otp-service, otp-vendor, otp-keyID, otp-length and otp-algID fields of the PA-OTP-CHALLENGE are used.
e) Added otp-vendor to the PA-OTP-REQUEST
f) Added text clarifying how the "must-encrypt-nonce", supportedHashAlg and iterationCount elements are used by the client.
5) Reply Key Change (section 3.5)
a) Removed the PA-OTP-CONFIRM and allowed reply-key change to be done using the encryption in the AS-REP
b) Made nonce in client's PA-OTP-REQUEST optional as it is now only used in the hashing of OTP values and not returned encrypted in the PA-OTP-CONFIRM
6) Key Generation (seciton 3.6)
a) Added paragraph regarding the strengthen-key in the KrbFastResponse
b) Base64 encoded OTP values always used in string-to-key
c) Changed octet string values used in KRB-FX-CF2 to be "OTPComb1" etc
d) Made the parameters used for string-to-key the enctype of the armor key, the salt of the principal and the default values for the enctype
7) Updated references to draft-ietf-krb-wg-anon, draft-ietf-keyprov-pskc and draft-ietf-krb-wg-otp-preauth
8) Added text to "IANA Considerations" (section 5) regading the pre-auth types and error codes
9) Updated "Security Considerations" section on replay (section 6.4) regarding OTP replay
-----Original Message-----
From: IETF I-D Submission Tool [mailto:idsubmission@ietf.org]
Sent: 27 September 2010 13:29
To: Richards, Gareth
Subject: New Version Notification for draft-ietf-krb-wg-otp-preauth-13
A new version of I-D, draft-ietf-krb-wg-otp-preauth-13.txt has been successfully submitted by Gareth Richards and posted to the IETF repository.
Filename: draft-ietf-krb-wg-otp-preauth
Revision: 13
Title: OTP Pre-authentication
Creation_date: 2010-09-27
WG ID: krb-wg
Number_of_pages: 39
Abstract:
The Kerberos protocol provides a framework authenticating a client using the exchange of pre-authentication data. This document describes the use of this framework to carry out One Time Password
(OTP) authentication.
The IETF Secretariat.
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] FW: New Version Notification for dr… gareth.richards