IETF Logo Mail Archive

Re: [saag] krb-wg report

Larry Zhu <lzhu@windows.microsoft.com> Thu, 26 March 2009 22:34 UTC

Return-Path: <lzhu@windows.microsoft.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 17F653A6887 for <saag@core3.amsl.com>; Thu, 26 Mar 2009 15:34:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.152
X-Spam-Level:
X-Spam-Status: No, score=-107.152 tagged_above=-999 required=5 tests=[AWL=3.447, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XHvGsVQ-uhFq for <saag@core3.amsl.com>; Thu, 26 Mar 2009 15:34:40 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id 020493A6452 for <saag@ietf.org>; Thu, 26 Mar 2009 15:34:40 -0700 (PDT)
Received: from TK5-EXHUB-C102.redmond.corp.microsoft.com (157.54.18.53) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.2.99.4; Thu, 26 Mar 2009 15:35:33 -0700
Received: from tk5-exmlt-w602.wingroup.windeploy.ntdev.microsoft.com (157.54.18.33) by TK5-EXHUB-C102.redmond.corp.microsoft.com (157.54.18.53) with Microsoft SMTP Server id 8.2.99.4; Thu, 26 Mar 2009 15:35:32 -0700
Received: from NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com ([fe80::8de9:51a2:cd62:f122]) by tk5-exmlt-w602.wingroup.windeploy.ntdev.microsoft.com ([157.54.18.33]) with mapi; Thu, 26 Mar 2009 15:35:32 -0700
From: Larry Zhu <lzhu@windows.microsoft.com>
To: "saag@ietf.org" <saag@ietf.org>, "ietf-krb-wg@anl.gov" <ietf-krb-wg@anl.gov>
Date: Thu, 26 Mar 2009 15:35:14 -0700
Thread-Topic: krb-wg report
Thread-Index: AcmuTUXIWv7mlqGaTfCfal0noKcm4AAFVjdA
Message-ID: <AB1E5627D2489D45BD01B84BD5B9004614F5954CDF@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [saag] krb-wg report
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2009 22:34:41 -0000

This is a correction to the first paragraph in the Krb-wg report.
Jeff and I discussed this, and have come to the conclusion that the
posted summary suggests that decisions on starttls were made in
the working group meeting on issues which were not decided.

This is due in part to incorporating discussions which occurred in the
Jabber room but not in the meeting proper.  It was also partly due to
my interpretation of certain discussions as reaching a decision,
during a portion of the meeting I was not running.

I did send the summary to Jeff before posting and I somehow missed
out the points where Jeff brought these up in his response.

With that I would like to retract the paragraph on starttls status and
clarify as follows:

 - we did not come to a conclusion on certificate valildation, which is
   a discussion still ongoing on the krb-wg mailing list, but which the
   chairs hope will be resolved soon.

 - we did not come to a conclusion on the question of whether to adopt the
   krb5starttls-bootstrap document or on the separation of features between
   core starttls and -bootstrap.  However, we did collect some input which
   we hope will help us to make a useful proposal for moving forward.

 - The intended status of the starttls document was also not decided and it was
   only discussed briefly in the jabber room.


Thanks,

--larry


From: Larry Zhu
Sent: Thursday, March 26, 2009 12:59 PM
To: saag@ietf.org; ietf-krb-wg@anl.gov
Subject: krb-wg report


Krb-wg met Tuesday afternoon.

Chair: Jeffrey Hutzelman and Larry Zhu
Scribe: Shawn Emery
AD: Tim Polk

We reviewed the changes in our current Internet Drafts.  We discussed issues
raised in list discussions and consensus calls. There are two outstanding
issues for draft-josefsson-kerberos5-starttls, namely KDC-certificate
validation and channel bindings.  It is noted that current starttls
implementations can only handle pre-shared certificates. We decided that
starttls should require certificate validation using pre-shared certificates.
There is no consensus how the certificates can be verified otherwise with
alternative options involving various EKUs and SANs proposed.  The lack of
channel bindings will be handled in a separate document. Due to these
limitations, the starttls document should be published as is as informational,
except to update it to reflect the certificate validation decision. The channel
binding document krb5starttls-bootstrap is adopted as a working group item.
These decisions are to be verified on the list.

We then discussed an issue involving the RFC3961 PRF for AES. We found that
all current implementations truncate the output to multiple of AES cipher
block size 16 bytes while the specification in RFC3961 does not truncate. We
decided to adopt the PRF with truncation as the official PRF but we are to
find out what is the right process to do this and we will involve the document
author Ken and security AD Tim Polk. The decision is to be verified on the list.


After the PRF discussion, we turned our attention to two issues in the preauth
document. Sam made the presentation. One is how to detect thus prevent the FAST
padata from being stripped by active attackers. An AD element will be used to
indicate FAST padata is used to mitigate the threat. Another issue is that
TLS-finished style checksum adds some complexity to implementers but no
significant benefits. We will remove the finished checksum in the next revision.

We also have the following additional action items and decisions:

1) Updates to the data model document have been made based on WGLC comments.
We will start another WGLC. Follow up: jhutz and Leif.

2) Anonymity document has one new open issue regard to exported names. Larry Zhu
is going to propose a solution and go through the list. We have good and healthy
discussions. Followup: Larry

3) Love proposed an alternative proposal to use the server nonce to allow both the
client and the KDC contribute the ticket Session key. Larry Zhu and/love will write
up the idea and propose it to the list. Followup: Larry and Love.

4) IAKERB WGLC is concluded. One comment is to be addressed by adding appropriate
text to the security considerations section. Followup: Larry to update, and Jhutz
to forward it to IESG

5) Ticket extensions adopted as work group item. Followup: jhutz

6) DHCP options to be added to allow KDC discovery, adopted as working group item, and to update the krb-wg charter. Followup: jhutz

7) The preauth ID to be updated and start WGLC. Followup: Sam Hartman to publish -11 based on the group decisions, 3 designated volunteer reviewers to complete review in the next weeks timeframe: Cliff Newman, Love, and Nicolas Williams

v2.23.0 | Report a Bug | By Email