IETF Logo Mail Archive

Re: [Ietf-krb-wg] Fwd: New Version Notification for draft-ietf-krb-wg-kdc-model-05

Howard Chu <hyc@symas.com> Fri, 07 August 2009 10:45 UTC

Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BAB6B28C0DD for <ietfarch-krb-wg-archive@core3.amsl.com>; Fri, 7 Aug 2009 03:45:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kSKuMX0QFV0r for <ietfarch-krb-wg-archive@core3.amsl.com>; Fri, 7 Aug 2009 03:45:09 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id 6268B3A6E8A for <krb-wg-archive@lists.ietf.org>; Fri, 7 Aug 2009 03:45:09 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 4F4BD75; Fri, 7 Aug 2009 05:45:12 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 8439370; Fri, 7 Aug 2009 05:45:10 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 29BB380E14; Fri, 7 Aug 2009 05:45:10 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id BF6F280E05 for <ietf-krb-wg@lists.anl.gov>; Fri, 7 Aug 2009 05:45:08 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id A23A47CC0C7; Fri, 7 Aug 2009 05:45:08 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18393-09; Fri, 7 Aug 2009 05:45:08 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay2.anl.gov (Postfix) with ESMTP id 79F667CC090 for <ietf-krb-wg@lists.anl.gov>; Fri, 7 Aug 2009 05:45:08 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEABSie0pAR5jr/2dsb2JhbADPYoQWBYoI
X-IronPort-AV: E=Sophos;i="4.43,341,1246856400"; d="scan'208";a="29780661"
Received: from lirone.symas.net ([64.71.152.235]) by mailgateway.anl.gov with ESMTP; 07 Aug 2009 05:45:07 -0500
Received: from [76.91.220.157] (helo=[192.168.1.20]) by lirone.symas.net with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <hyc@symas.com>) id 1MZMwZ-0000gN-V2; Fri, 07 Aug 2009 03:45:04 -0700
Message-ID: <4A7C05AA.8040301@symas.com>
Date: Fri, 07 Aug 2009 03:44:58 -0700
From: Howard Chu <hyc@symas.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b5pre) Gecko/20090630 SeaMonkey/2.0a1pre Firefox/3.0.3
MIME-Version: 1.0
To: Jeffrey Hutzelman <jhutz@cmu.edu>
References: <200907311407.22577.leifj@mnt.se> <200908061311.48967.leifj@mnt.se> <4A7B2596.2010905@symas.com> <200908062332.15212.leifj@mnt.se> <1335145DE9FEC641FE0B33F6@atlantis.pc.cs.cmu.edu>
In-Reply-To: <1335145DE9FEC641FE0B33F6@atlantis.pc.cs.cmu.edu>
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: ietf-krb-wg@lists.anl.gov
Subject: Re: [Ietf-krb-wg] Fwd: New Version Notification for draft-ietf-krb-wg-kdc-model-05
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov

Jeffrey Hutzelman wrote:
> --On Thursday, August 06, 2009 11:32:14 PM +0200 Leif Johansson
> <leifj@mnt.se>  wrote:
>
>
>>>     This is a multivalued attribute containing enumerated string values
>>> representing the ticket flags defined in RFC4120 Section 2 "Ticket Flag
>>> Uses and Requests"...
>
> Strings?  Why?  The ticket flags aren't strings.

>> You're thinking of the policy as a set of the allowed flags? A ticket
>> flag  policy could be a lot more complex than that. Perhaps something
>> like  this:
>>
>> A ticket flag policy specifies the ticket flags allowed for tickets
>> issued for a principal. Minimally the expression of a ticket flag SHOULD
>> be a set of  ticket flags as defined in RFC 4120, section2.
>
> That SHOULD is silly, since there are features which use multiple ticket
> flags that cannot be logically separated.  For example, it makes little
> sense to allow MAY-POSTDATE but not POSTDATED, or FORWARDABLE but not
> FORWARDED.
>
> It's silly to set policy indicating whether the INITIAL, PRE-AUTHENT,
> and/or HW-AUTHENT flags may be set; the KDC should set them according to
> the actual situation (though one might want policy controlling whether any
> what preauth is required for a principal).  Similarly for
> TRANSITED-POLICY-CHECKED or OK-AS-DELEGATE.

Right, the actual flag bits are not useful for a ticket policy. Instead you 
need a name for a feature, which may be implemented by ticket flags, or bits 
in the KRB_AS_REQ kdc_options, or some other means (like pre-auth data). Which 
is one reason to use enumerated strings here. E.g. instead of 
ALLOW-POSTDATE+POSTDATED+VALIDATE use a string "POSTDATING" to represent that 
feature.

>> Sure but that doesn't mean the realm needs to be an element of the
>> model. We could define Realm as a first order object of the model and
>> have associations from the principals to each realm in which it lives but
>> I'm not sure what value that would add to the text...
>>
>> In other words: what property of realms other than the association of
>> the principal to it do you want to model?
>
> In other other words, despite the fact that we usually separate them in the
> protocol, how is the realm name not just part of the principal name?

I guess the realm has no interesting properties of its own, other than being a 
container for the policies and principals. OK, I'll drop this point too.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

v2.23.0 | Report a Bug | By Email