IETF Logo Mail Archive

Kerberos name constraints I-D

"Paul Rabinovich" <Paul.Rabinovich@exostar.com> Mon, 17 September 2007 17:33 UTC

Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IXKTD-0003nC-5I for pkix-archive@lists.ietf.org; Mon, 17 Sep 2007 13:33:15 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IXKTB-0002M9-8K for pkix-archive@lists.ietf.org; Mon, 17 Sep 2007 13:33:15 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8HG5pi1061961 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Sep 2007 09:05:51 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l8HG5p4w061960; Mon, 17 Sep 2007 09:05:51 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from Netmail1.exostar.com (netmail1.exostar.com [208.47.83.14]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8HG5m4a061951 for <ietf-pkix@vpnc.org>; Mon, 17 Sep 2007 09:05:50 -0700 (MST) (envelope-from Paul.Rabinovich@exostar.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: Kerberos name constraints I-D
Date: Mon, 17 Sep 2007 12:05:47 -0400
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_00FE_01C7F923.14E1EA70"
Message-ID: <0E2D64FCAEB5C5458A494DC28270548E06CE3F59@Netmail1.exostar.com>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Kerberos name constraints I-D
Thread-Index: Acf0m6FwQRhkNNIdQwKqenHbym7AfAEo9VDAAAA58KA=
From: Paul Rabinovich <Paul.Rabinovich@exostar.com>
To: ietf-pkix@vpnc.org
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 91d41a7910bc138368a2b7a939f0ed3f

	
	Hello,

	Attached, please, find the 0th draft of the I-D “Constraining
Kerberos Names in X.509 Certificates”. The I-D was not included in the
Kerberos WG Charter. The chairs recommended that I do an individual
submission. Since it concerns both Kerberos and PKI, I'd like to solicit
feedback from the PKIX WG.
	There are a couple of issues I’d like to draw your attention to:

1) “Other” name constraints applicable to Kerberos names: (a) Is it even a
good idea to apply one type of name constraint to a name of a different type
(RFC 3280 does not do this – with one exception for backward compatibility);
(b) issuing CAs may label names as NT-PRINCIPAL or some such to circumvent
these name constraints; (c) RFC 4120 is ambiguous about certain Kerberos
names (e.g., NT-SMTP-NAME: Name in the form of an SMTP e-mail name (e.g.,
user@example.com): is it always an RFC 822 name or it only looks like one?
The same is true for NT-SRV-XHST and X.500 names, etc.)
2) I’m concerned about ambiguity of name encodings. E.g., in an NT-SRV-XHST
what is the encoding of the name-string field? Is it a left-to-right DN or
right-to-left? I’d like to make sure the encoding issue is unambiguously
resolved for all name types.
3) In RFC 4120: is it true that domain-style realm names never start with
“.”; it should be true but it’s not stated there.
4) How are X500-style realm names encoded?
5) Should we do any pattern matching for “other”-style real names? My draft
talks only about exact realm name match for them.

I appreciate all feedback.

Best regards,
PR

Paul Rabinovich | Software Architect | EXOSTAR LLC
13530 Dulles Technology Dr., Suite 200, Herndon, VA 20171
PH +1.703.793.7808 | FAX +1.703.793.7741

v2.23.0 | Report a Bug | By Email