[Ietf-krb-wg] Last call issues on naming
Jeffrey Hutzelman <jhutz@cmu.edu> Tue, 29 July 2008 10:12 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C1AA28C1F1 for <ietfarch-krb-wg-archive@core3.amsl.com>; Tue, 29 Jul 2008 03:12:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.885
X-Spam-Level:
X-Spam-Status: No, score=-2.885 tagged_above=-999 required=5 tests=[AWL=-0.286, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TVmFBLjBBVBg for <ietfarch-krb-wg-archive@core3.amsl.com>; Tue, 29 Jul 2008 03:12:03 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id 3A6EE28C267 for <krb-wg-archive@lists.ietf.org>; Tue, 29 Jul 2008 03:12:03 -0700 (PDT)
Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 415BE36; Tue, 29 Jul 2008 04:39:24 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 32A841D; Tue, 29 Jul 2008 04:39:13 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id CBD0680D96; Tue, 29 Jul 2008 04:39:13 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 2D57480D8C for <ietf-krb-wg@lists.anl.gov>; Tue, 29 Jul 2008 04:39:12 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix) id 1E70F11; Tue, 29 Jul 2008 04:39:12 -0500 (CDT)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 043DD12 for <ietf-krb-wg@anl.gov>; Tue, 29 Jul 2008 04:39:12 -0500 (CDT)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id DFF7211 for <ietf-krb-wg@anl.gov>; Tue, 29 Jul 2008 04:39:11 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id C32777CC05C; Tue, 29 Jul 2008 04:39:11 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05406-02; Tue, 29 Jul 2008 04:39:11 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay2.anl.gov (Postfix) with ESMTP id 9C2EF7CC059 for <ietf-krb-wg@anl.gov>; Tue, 29 Jul 2008 04:39:11 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AtIAABSCjkiAAskQfGdsb2JhbACSVwEBCwUIBw6dPw
X-IronPort-AV: E=Sophos;i="4.31,271,1215406800"; d="scan'208";a="17632918"
Received: from jackfruit.srv.cs.cmu.edu ([128.2.201.16]) by mailgateway.anl.gov with ESMTP; 29 Jul 2008 04:39:11 -0500
Received: from dhcp-130-129-19-120.meeting.ietf.org ([130.129.65.46]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id m6T9d6b4007472 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Jul 2008 05:39:09 -0400 (EDT)
Date: Tue, 29 Jul 2008 10:39:06 +0100
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: ietf-krb-wg@anl.gov
Message-ID: <F218B0172A4F7753E33C317D@atlantis.pc.cs.cmu.edu>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Disposition: inline
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: jhutz@cmu.edu
Subject: [Ietf-krb-wg] Last call issues on naming
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
The following is a summary of issues that have been raised on the naming document since draft-ietf-krb-wg-naming-04.txt entered IETF Last Call on Feb 22, 2008. There are a total of 5 issues, all but one of which I believe has been resolved as of draft-ietf-krb-wg-naming-06.txt. The remaining issue, N002, still needs a reply. However, I suspect that Larry can compose a reply without additional discussion from the working group, so unless someone has a comment, I am not planning on discussing this item at today's meeting. Participants should feel free to comment during today's meeting on any of these items or on any issue not previously noticed. However, please bear in mind that this document is at a fairly late stage and so we should not be making significant changes without a strong need. In the text below, '>' indicates comments from the listed commenter, '@' indicates comments from the document author(s), and '[[' and ']]' surround comments from the shepherd. ********************************************************************** *** OUTSTANDING ********************************************************************** * N002 Mar 06 Stephen Hanna <shanna@juniper.net> (for secdir) > it should explain why it is permissible for the TGS to allow > an authentication to succeed even if the client and/or > server principal name is an unsupported well-known name. > The reasoning for allowing this is not clear to me but > perhaps it is that the TGS can assume that the AS must > have supported the client name or it would have failed the > authentication. I'm not sure how this helps to address the > case where the server name is an unsupported well-known > name. I would like to see that explained, preferably > in the document. ********************************************************************** *** RESOLVED ********************************************************************** * N001 Mar 06 Stephen Hanna <shanna@juniper.net> (for secdir) > The Security Considerations > section could provide an example of how unintended access > could be granted if an authentication with an unsupported > well-known name is allowed to succeed. @ Example added in -05 [[ Example present in -06 ]] [[ RESOLVED - MINOR SUBSTANTIVE ]] ============================== * N003 Mar 06 Stephen Hanna <shanna@juniper.net> (for secdir) > At the end of section 1, "remedy these" should be "remedy these > issues" or something similar. Otherwise, it's not clear what is > to be remedied. [[ Corrected in -06 ]] [[ RESOLVED - EDITORIAL ]] ============================== * N004 Mar 06 Stephen Hanna <shanna@juniper.net> (for secdir) > In the last paragraph of section 3.1, the first word "is" in the > phrase "is a well-known principal name is used" should be "if". > Similarly, in the second paragraph of section 3.2, the first word > "is" should be "if" in the phrase "is a well-known realm name is used". [[ Corrected in -06 ]] [[ RESOLVED - EDITORIAL ]] ============================== * N005 Mar 20 Sam Hartman <hartmans-ietf@mit.edu> > I think there is a minor ambiguity in the naming draft: > > Consequently, unless otherwise > > specified, a well-known Kerberos realm name MUST NOT be present > > in transited encoding > > Who enforces this requirement? That's an important question because > it controls who needs to support the specific well known realm in > order for it to be used. > > I'd recommend something like: Unless otherwise specified, parties checking > the transited realm path MUST reject a transited realm path that includes a > well known realm. In the case of KDCs checking the transited realm path, > this means that the transited policy checked flag MUST NOT be set in the > resulting ticket. > > In particular, that means that a KDC that is not checking transited > realm paths is not encouraged to reject a request simply because the > realm in an unknown well known realm. @ Proposed text looks good [[ Included in -06 ]] [[ RESOLVED - MINOR SUBSTANTIVE ]] _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] Last call issues on naming Jeffrey Hutzelman
- Re: [Ietf-krb-wg] Last call issues on naming Larry Zhu
- Re: [Ietf-krb-wg] Last call issues on naming Jeffrey Hutzelman