Re: [secdir] SecDir review of draft-ietf-krb-wg-kerberos-referrals-14

Sam Hartman <hartmans-ietf@mit.edu> Wed, 26 September 2012 12:12 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EDE621F8834 for <secdir@ietfa.amsl.com>; Wed, 26 Sep 2012 05:12:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.612
X-Spam-Level:
X-Spam-Status: No, score=-97.612 tagged_above=-999 required=5 tests=[AWL=-1.900, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NabXixNzK9Gl for <secdir@ietfa.amsl.com>; Wed, 26 Sep 2012 05:12:22 -0700 (PDT)
Received: from ec2-23-21-227-93.compute-1.amazonaws.com (ec2-23-21-227-93.compute-1.amazonaws.com [23.21.227.93]) by ietfa.amsl.com (Postfix) with ESMTP id 18D9221F8810 for <secdir@ietf.org>; Wed, 26 Sep 2012 05:12:22 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (c-98-217-126-210.hsd1.ma.comcast.net [98.217.126.210]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 37125201E2; Wed, 26 Sep 2012 08:02:59 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 1BA7B414A; Wed, 26 Sep 2012 08:02:28 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
References: <4FBFAE5F.8010305@gmail.com> <505F7514.8030908@gmail.com> <5061E4AE.2030701@ieca.com> <5061E628.2070708@gmail.com>
Date: Wed, 26 Sep 2012 08:02:28 -0400
In-Reply-To: <5061E628.2070708@gmail.com> (Yaron Sheffer's message of "Tue, 25 Sep 2012 19:13:12 +0200")
Message-ID: <tsld319rnzf.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: draft-ietf-krb-wg-kerberos-referrals.all@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] SecDir review of draft-ietf-krb-wg-kerberos-referrals-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2012 12:12:23 -0000

Hi.
I wanted to respond to a few points you raised.

First, things are a bit more encouraging than it might seem.
The security mechanisms (FAST negotiation and FAST as well as a lot of
policy constraints) have been significantly motivated by the security
analysis of this protocol.
Adopting of the security mechanisms is increasing, not decreasing.
We have fairly good to excellent (depending on mechanism and usage)
bid-down protection.
So, things are improving fairly rapidly.

In Kerberos, realms cannot claim ownership of resources.
Some systems such as Active Directory built on Kerberos do support that.

Thanks for your review; I'm discussing with Stephen what changes we want
to make to the specific points you raise.