Re: [secdir] Secdir review of draft-ietf-krb-wg-kdc-model-12

Jeffrey Hutzelman <> Thu, 05 July 2012 04:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E8BDF21F84C8 for <>; Wed, 4 Jul 2012 21:17:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZR+mQr8posEH for <>; Wed, 4 Jul 2012 21:17:41 -0700 (PDT)
Received: from (SMTP03.SRV.CS.CMU.EDU []) by (Postfix) with ESMTP id 0775A21F84C5 for <>; Wed, 4 Jul 2012 21:17:40 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.13.6/8.13.6) with ESMTP id q654Hobd028603 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 5 Jul 2012 00:17:51 -0400 (EDT)
From: Jeffrey Hutzelman <>
To: Alexey Melnikov <>
In-Reply-To: <>
References: <> <>
Content-Type: text/plain; charset="UTF-8"
Date: Thu, 05 Jul 2012 00:17:52 -0400
Message-ID: <1341461872.5329.22.camel@tuzanor.jhutz.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.2
Content-Transfer-Encoding: 7bit
X-Scanned-By: mimedefang-cmuscs on
Cc:, secdir <>,
Subject: Re: [secdir] Secdir review of draft-ietf-krb-wg-kdc-model-12
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Jul 2012 04:17:42 -0000

On Wed, 2012-07-04 at 22:04 +0100, Alexey Melnikov wrote:

> I do however have a long list of nits and minor issues which I think 
> need to be addressed:

I think the majority of your comments can be addressed by noting that
this is an abstract data model, not a schema or protocol.  So, it
discusses values that must be representable, but not what the
representation must look like, because that's up to some schema or
protocol based on this data model (e.g. an LDAP schema or XML DTD).

I thought at this point that the introduction makes this point
reasonably clear, along with the notion that "implementations" of this
documents are schemas or protocols, not pieces of software.  However, if
you didn't pick up on that, then maybe there's a better way to get it

Aside from those, you also pointed three specific issues (quoted below)
which I think are answered by text in RFC3961.  If that information is
sufficient to answer your questions, then appropriate references to that
document should be inserted in the text.  Otherwise, we'll have to talk
about what the document can say to be more clear.

> In Section - what is an enctype? :-).

See RFC3961.

>  keyValue
>     The binary representation of the key data.  This MUST be a single-
>     valued octet string.
> Can it be zero-length?

A valid question, I suppose.  But I don't see any point in saying,
because then someone will just follow up with a question asking whether
it is allowed to be length 1.

In fact, a key held by the KDC will be a valid key for the appropriate
enctype.  The set of valid keys is a property of the enctype, as
specified in RFC3961 section 3.

>  keySaltValue
>     The binary representation of the key salt.  This MUST be a single-
>     valued octet string.
> As above.

RFC3961 is quite clear that any valid UTF-8 string is permissible as a

You also pointed out several missing references; I agree with all of

Leif, can you make sure we get in whatever changes are needed to address
Alexey's comments?

-- Jeff