Re: [saag] krb-wg report
Larry Zhu <lzhu@windows.microsoft.com> Thu, 26 March 2009 22:34 UTC
Return-Path: <lzhu@windows.microsoft.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 17F653A6887 for <saag@core3.amsl.com>; Thu, 26 Mar 2009 15:34:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.152
X-Spam-Level:
X-Spam-Status: No, score=-107.152 tagged_above=-999 required=5 tests=[AWL=3.447, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XHvGsVQ-uhFq for <saag@core3.amsl.com>; Thu, 26 Mar 2009 15:34:40 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id 020493A6452 for <saag@ietf.org>; Thu, 26 Mar 2009 15:34:40 -0700 (PDT)
Received: from TK5-EXHUB-C102.redmond.corp.microsoft.com (157.54.18.53) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.2.99.4; Thu, 26 Mar 2009 15:35:33 -0700
Received: from tk5-exmlt-w602.wingroup.windeploy.ntdev.microsoft.com (157.54.18.33) by TK5-EXHUB-C102.redmond.corp.microsoft.com (157.54.18.53) with Microsoft SMTP Server id 8.2.99.4; Thu, 26 Mar 2009 15:35:32 -0700
Received: from NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com ([fe80::8de9:51a2:cd62:f122]) by tk5-exmlt-w602.wingroup.windeploy.ntdev.microsoft.com ([157.54.18.33]) with mapi; Thu, 26 Mar 2009 15:35:32 -0700
From: Larry Zhu <lzhu@windows.microsoft.com>
To: "saag@ietf.org" <saag@ietf.org>, "ietf-krb-wg@anl.gov" <ietf-krb-wg@anl.gov>
Date: Thu, 26 Mar 2009 15:35:14 -0700
Thread-Topic: krb-wg report
Thread-Index: AcmuTUXIWv7mlqGaTfCfal0noKcm4AAFVjdA
Message-ID: <AB1E5627D2489D45BD01B84BD5B9004614F5954CDF@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [saag] krb-wg report
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2009 22:34:41 -0000
This is a correction to the first paragraph in the Krb-wg report. Jeff and I discussed this, and have come to the conclusion that the posted summary suggests that decisions on starttls were made in the working group meeting on issues which were not decided. This is due in part to incorporating discussions which occurred in the Jabber room but not in the meeting proper. It was also partly due to my interpretation of certain discussions as reaching a decision, during a portion of the meeting I was not running. I did send the summary to Jeff before posting and I somehow missed out the points where Jeff brought these up in his response. With that I would like to retract the paragraph on starttls status and clarify as follows: - we did not come to a conclusion on certificate valildation, which is a discussion still ongoing on the krb-wg mailing list, but which the chairs hope will be resolved soon. - we did not come to a conclusion on the question of whether to adopt the krb5starttls-bootstrap document or on the separation of features between core starttls and -bootstrap. However, we did collect some input which we hope will help us to make a useful proposal for moving forward. - The intended status of the starttls document was also not decided and it was only discussed briefly in the jabber room. Thanks, --larry From: Larry Zhu Sent: Thursday, March 26, 2009 12:59 PM To: saag@ietf.org; ietf-krb-wg@anl.gov Subject: krb-wg report Krb-wg met Tuesday afternoon. Chair: Jeffrey Hutzelman and Larry Zhu Scribe: Shawn Emery AD: Tim Polk We reviewed the changes in our current Internet Drafts. We discussed issues raised in list discussions and consensus calls. There are two outstanding issues for draft-josefsson-kerberos5-starttls, namely KDC-certificate validation and channel bindings. It is noted that current starttls implementations can only handle pre-shared certificates. We decided that starttls should require certificate validation using pre-shared certificates. There is no consensus how the certificates can be verified otherwise with alternative options involving various EKUs and SANs proposed. The lack of channel bindings will be handled in a separate document. Due to these limitations, the starttls document should be published as is as informational, except to update it to reflect the certificate validation decision. The channel binding document krb5starttls-bootstrap is adopted as a working group item. These decisions are to be verified on the list. We then discussed an issue involving the RFC3961 PRF for AES. We found that all current implementations truncate the output to multiple of AES cipher block size 16 bytes while the specification in RFC3961 does not truncate. We decided to adopt the PRF with truncation as the official PRF but we are to find out what is the right process to do this and we will involve the document author Ken and security AD Tim Polk. The decision is to be verified on the list. After the PRF discussion, we turned our attention to two issues in the preauth document. Sam made the presentation. One is how to detect thus prevent the FAST padata from being stripped by active attackers. An AD element will be used to indicate FAST padata is used to mitigate the threat. Another issue is that TLS-finished style checksum adds some complexity to implementers but no significant benefits. We will remove the finished checksum in the next revision. We also have the following additional action items and decisions: 1) Updates to the data model document have been made based on WGLC comments. We will start another WGLC. Follow up: jhutz and Leif. 2) Anonymity document has one new open issue regard to exported names. Larry Zhu is going to propose a solution and go through the list. We have good and healthy discussions. Followup: Larry 3) Love proposed an alternative proposal to use the server nonce to allow both the client and the KDC contribute the ticket Session key. Larry Zhu and/love will write up the idea and propose it to the list. Followup: Larry and Love. 4) IAKERB WGLC is concluded. One comment is to be addressed by adding appropriate text to the security considerations section. Followup: Larry to update, and Jhutz to forward it to IESG 5) Ticket extensions adopted as work group item. Followup: jhutz 6) DHCP options to be added to allow KDC discovery, adopted as working group item, and to update the krb-wg charter. Followup: jhutz 7) The preauth ID to be updated and start WGLC. Followup: Sam Hartman to publish -11 based on the group decisions, 3 designated volunteer reviewers to complete review in the next weeks timeframe: Cliff Newman, Love, and Nicolas Williams
- [saag] krb-wg report Larry Zhu
- Re: [saag] krb-wg report Larry Zhu