Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-kerberos-referrals-14
Nico Williams <nico@cryptonector.com> Fri, 14 September 2012 16:44 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8780021F84F1 for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Fri, 14 Sep 2012 09:44:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.977
X-Spam-Level:
X-Spam-Status: No, score=-3.977 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B3Aes34ag4aR for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Fri, 14 Sep 2012 09:44:02 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id C175F21F84B8 for <krb-wg-archive@lists.ietf.org>; Fri, 14 Sep 2012 09:44:02 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 3381BD37; Fri, 14 Sep 2012 11:44:02 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 987C2D44; Fri, 14 Sep 2012 11:44:01 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 78FB154C006; Fri, 14 Sep 2012 11:44:01 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 6B5A481039 for <ietf-krb-wg@lists.anl.gov>; Fri, 14 Sep 2012 11:44:00 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 55ECC7CC117; Fri, 14 Sep 2012 11:44:00 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28275-03; Fri, 14 Sep 2012 11:44:00 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 2EF187CC0AC for <ietf-krb-wg@lists.anl.gov>; Fri, 14 Sep 2012 11:44:00 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApsBAAVeU1DQYYTKjmdsb2JhbABFDoV5tW8qAQEBAQkLCQkSBSSCIAEBAQECARICDx05AQQLCwsPAiYCAiISAQUBHAYTIodlBp0HCQOKaG6DSI8xBoEhiXSFVoESiFmNC45CFimDTFg
X-IronPort-AV: E=Sophos;i="4.80,423,1344229200"; d="scan'208";a="1810472"
Received: from caiajhbdccac.dreamhost.com (HELO homiemail-a33.g.dreamhost.com) ([208.97.132.202]) by mailgateway.anl.gov with ESMTP; 14 Sep 2012 11:43:59 -0500
Received: from homiemail-a33.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTP id 07621594061 for <ietf-krb-wg@lists.anl.gov>; Fri, 14 Sep 2012 09:43:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=2Zbq/N0Qmcy2PGTj7o2j eMw3FC0=; b=ecJCuOgLYIwxAgVcxm/DNqzvTvFukypwnsbVJSdQBKYiTfH9QTcl zvh+QYgLmO678uQVzGxWCFBi4NgA7EDJQZnOel895NNfwkGHwgVKHVpieKPxVenW XMK+pC9UXGdMFmz5xvU0qauSrlrXZqDQM1rrSTogHsgBP46GIFo4BwA=
Received: from mail-pz0-f47.google.com (mail-pz0-f47.google.com [209.85.210.47]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTPSA id E052A594059 for <ietf-krb-wg@lists.anl.gov>; Fri, 14 Sep 2012 09:43:58 -0700 (PDT)
Received: by daks35 with SMTP id s35so2524077dak.20 for <ietf-krb-wg@lists.anl.gov>; Fri, 14 Sep 2012 09:43:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.66.75.133 with SMTP id c5mr4910913paw.24.1347641038283; Fri, 14 Sep 2012 09:43:58 -0700 (PDT)
Received: by 10.68.20.194 with HTTP; Fri, 14 Sep 2012 09:43:58 -0700 (PDT)
In-Reply-To: <tslobl84m2q.fsf@mit.edu>
References: <50512CF2.6090801@cs.tcd.ie> <tslobl84m2q.fsf@mit.edu>
Date: Fri, 14 Sep 2012 11:43:58 -0500
Message-ID: <CAK3OfOjJu0_nMN3tqXY_V34daC3iPraW_5oR9bkV5=fB_AN4xg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: "krb-wg mailing list (ietf-krb-wg@lists.anl.gov)" <ietf-krb-wg@lists.anl.gov>
Subject: Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-kerberos-referrals-14
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov
On Fri, Sep 14, 2012 at 11:15 AM, Sam Hartman <hartmans-ietf@mit.edu> wrote: > Stephen> - p10, last para, maybe s/should/ought/ if you don't want > Stephen> that as a 2119 should? Even without that being a SHOULD, it > Stephen> seems odd to recommend that the client know about realms, > Stephen> to the extent that it can differentiate between them, in a > Stephen> spec whose purpose is to get rid of per-realm configuration > Stephen> from clients. Is there in fact a missing 2119-level SHOULD > Stephen> here that also says how to do this with no client config? > Stephen> Or, are you really assuming that clients won't make any > Stephen> checks, in which case wouldn't it be better to confess the > Stephen> truth? > > What a lot of clients end up doing is confirming that the referred-to > realm is in something like an AD forest. > It would be valuable to mention that as an option for the local policy. > It's actually not a bad choice in a lot of environments, although > obviously if the trust within a forest varies widely (something that > Kerberos supports but AD doesn't support as much) > then you might need to be more clever. Actually, AD does support varying levels of trust within forests. An AD client could search the AD configuration partition to decide whether some realm is trusted or not, but this is hard work. Also, a forest is not / need not be strictly hierarchical, so it can be really hard for a client to make this check. > The intent of that paragraph if is that if you're going outside of an > AD-style trust model you may need to prompt. Then it seems like we need an RFC2119 SHOULD. Nico -- _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] AD review of draft-ietf-krb-wg-kerb… Stephen Farrell
- Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-… Sam Hartman
- Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-… Nico Williams
- Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-… Sam Hartman
- Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-… Nico Williams
- Re: [Ietf-krb-wg] AD review of draft-ietf-krb-wg-… Sam Hartman