[Ntp] Antw: Re: Antw: [EXT] Re: Post NTS, Is shared key authentication interesting?
Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> Wed, 27 May 2020 12:45 UTC
Return-Path: <Ulrich.Windl@rz.uni-regensburg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89D6B3A0E32 for <ntp@ietfa.amsl.com>; Wed, 27 May 2020 05:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pn_6OC7IpyDc for <ntp@ietfa.amsl.com>; Wed, 27 May 2020 05:45:18 -0700 (PDT)
Received: from mx1.uni-regensburg.de (mx1.uni-regensburg.de [194.94.157.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72A0A3A0E2F for <ntp@ietf.org>; Wed, 27 May 2020 05:45:18 -0700 (PDT)
Received: from mx1.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 891F16000054 for <ntp@ietf.org>; Wed, 27 May 2020 14:45:14 +0200 (CEST)
Received: from gwsmtp.uni-regensburg.de (gwsmtp1.uni-regensburg.de [132.199.5.51]) by mx1.uni-regensburg.de (Postfix) with ESMTP id 68CC6600004F for <ntp@ietf.org>; Wed, 27 May 2020 14:45:10 +0200 (CEST)
Received: from uni-regensburg-smtp1-MTA by gwsmtp.uni-regensburg.de with Novell_GroupWise; Wed, 27 May 2020 14:45:11 +0200
Message-Id: <5ECE60D5020000A100039355@gwsmtp.uni-regensburg.de>
X-Mailer: Novell GroupWise Internet Agent 18.2.1
Date: Wed, 27 May 2020 14:45:09 +0200
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
To: kurt@roeckx.be
Cc: "ntp@ietf.org" <ntp@ietf.org>, Hal Murray <hmurray@megapathdsl.net>, mlichvar@redhat.com
References: <68248D4C020000916A6A8CFC@gwsmtp.uni-regensburg.de> <54A83DA70200003B43047E14@gwsmtp.uni-regensburg.de> <5ECE33E0020000A10003934B@gwsmtp.uni-regensburg.de> <20200527095536.GR2915@roeckx.be> <20200527100232.GS2915@roeckx.be>
In-Reply-To: <20200527100232.GS2915@roeckx.be>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/o3ua_33MXlU2o7F-V-9Vk0Nxe2E>
Subject: [Ntp] Antw: Re: Antw: [EXT] Re: Post NTS, Is shared key authentication interesting?
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 12:45:21 -0000
>>> Kurt Roeckx <kurt@roeckx.be> schrieb am 27.05.2020 um 12:02 in Nachricht <20200527100232.GS2915@roeckx.be>: > On Wed, May 27, 2020 at 11:55:36AM +0200, Kurt Roeckx wrote: >> On Wed, May 27, 2020 at 11:33:20AM +0200, Ulrich Windl wrote: >> > >>> Hal Murray <hmurray@megapathdsl.net> schrieb am 26.05.2020 um 20:37 in >> > Nachricht >> > > <15818_1590518253_5ECD61ED_15818_1499_1_20200526183714.6514740605C@ip-64-139- > 1-6 >> > .sjc.megapath.net>: >> > >> > [...] >> > > >> > > Are crypto NACs interesting? Is the added complexity worth the benefit? >> > > >> > > If all you get is "NAC", what do you do next when trying to debug things? > >> > > What's different from what you would do if you didn't get any reaponse? >> > >> > Just assume on any error that can happen for a https connection you don't > get >> > a response... >> > I fyou are in control of client AND server, you may not need crypto NACs. > If >> > you are in control of the server, you also may not need crypto nacs, but if > you >> > only have access to the client and the responses, crypto nacs seem valuable >> > IMHO. >> > >> > > >> > > Should we have a separate extension type for Crypto NAC, possibly with a >> > > text >> > > payload. How many sub‑types are there? Will that leak information? ... >> > >> > I think it will not leak more information than before. An optional textual >> > description seems like a good idea. Maybe the server could be restricted to >> > provide such, or not. A model like SMTP's extended status codes sounds like > a >> > good idea to me (codes for computers, messages for humans (and maybe > computers, >> > too). >> >> I'm not sure I fully understand what you're talking about, but >> sending an error message that something with the crypto was bad >> it a bad idea. You should pretend that everything was ok. An >> attacker should not be able to see the difference between an ok >> and a not ok message. Look for instance at the TLS RFCs what they >> write about a Bleichenbacher attack. > > Since we're talking about a shared (symatric) key, it's probably not > that important. > OK, I thought the discussion was more general. AFAIR there's no response if improper authentication was supplied for symmetric keys. > > Kurt
- [Ntp] Antw: [EXT] Re: Post NTS, Is shared key aut… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Kurt Roeckx
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Kurt Roeckx
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Miroslav Lichvar
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Harlan Stenn
- [Ntp] Antw: Re: Antw: [EXT] Re: Post NTS, Is shar… Ulrich Windl
- [Ntp] Antw: Re: Antw: [EXT] Re: Post NTS, Is shar… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Salz, Rich
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Harlan Stenn
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Salz, Rich
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Daniel Franke
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Harlan Stenn
- Re: [Ntp] Antw: [EXT] Re: Post NTS, Is shared key… Daniel Franke