Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04

"Christian Huitema" <huitema@huitema.net> Thu, 05 January 2017 22:34 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C80531296EC for <secdir@ietfa.amsl.com>; Thu, 5 Jan 2017 14:34:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OoVyjfpBarOn for <secdir@ietfa.amsl.com>; Thu, 5 Jan 2017 14:34:57 -0800 (PST)
Received: from mx36-42.antispamcloud.com (mx36-42.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C90C129717 for <secdir@ietf.org>; Thu, 5 Jan 2017 14:34:57 -0800 (PST)
Received: from xsmtp05.mail2web.com ([168.144.250.245]) by mx36.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from <huitema@huitema.net>) id 1cPGcZ-0008Bg-UM for secdir@ietf.org; Thu, 05 Jan 2017 23:34:56 +0100
Received: from [10.5.2.16] (helo=xmail06.myhosting.com) by xsmtp05.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1cPGcY-0000uD-BT for secdir@ietf.org; Thu, 05 Jan 2017 17:34:55 -0500
Received: (qmail 23007 invoked from network); 5 Jan 2017 22:34:54 -0000
Received: from unknown (HELO icebox) (Authenticated-user:_huitema@huitema.net@[172.56.39.5]) (envelope-sender <huitema@huitema.net>) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for <draft-ietf-kitten-krb-auth-indicator.all@ietf.org>; 5 Jan 2017 22:34:53 -0000
From: "Christian Huitema" <huitema@huitema.net>
To: "'Nathaniel McCallum'" <npmccallum@redhat.com>
References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net> <20170103062001.GN8460@kduck.kaduk.org> <00c901d26766$566e9ae0$034bd0a0$@huitema.net> <20170105194728.GU8460@kduck.kaduk.org> <042f01d26790$e936a5f0$bba3f1d0$@huitema.net> <CAOASepOE2RHGoZre7g6xswX56AUPZJfPMkksHWt7rwBo6_C-sw@mail.gmail.com>
In-Reply-To: <CAOASepOE2RHGoZre7g6xswX56AUPZJfPMkksHWt7rwBo6_C-sw@mail.gmail.com>
Date: Thu, 5 Jan 2017 14:34:47 -0800
Message-ID: <045e01d267a3$ed12d410$c7387c30$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQEaPs7iLwqOaTNknblhLQFEtN95CQJSROSwAhA+0NYCGZkF0AHkJ1kiAwSBZ48C3tfbXaIorGEA
X-Originating-IP: 168.144.250.245
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.04)
X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlVTHAar8Je/lORhy3PZJU8LERWeKKG4PAQY Nyavp7c49EdlGitVsfXsrKty9N3esIJTugiLDom8V25hond3K4RsO76XSTAwtV4mg4i2ouCDa4AU hvIWAV5xUW/+gAh4vXrs7BAYzBd2DtqdgZMhlvC0RcOb18WfxGyg6Om6u4YYm8yvirzuaUZD8mZj nf1sECw5hjoyEb9Oq0NWpyO3vrfYy2h1mQR50Wwo5hSyeApVLD3dKxLhoxcmaInYbR5vlqGudzLe k2TYFBStSOMccbr5Uz0sPgnpAk2KA2vJwMd1uWhCmLzOxTAcQmFWVARhgNqBNFD3an3wiMp49rVr ybSB0ktSrwQbrgk6jfwMHIN4qhQRCdMNhge1Unb77YyuZq7wk85aMwGs/fhx7ekSIUrURBdQ80wr wyng3wNtDYr6IWSdEOMftBjsWb6BDQzjSsEw7+KMtoemwN8keIAcPKMBBQ67muZNm3G2c8/Pjjqy k0k0bdVHmDm5y9NcoZdM30MpNkbYYJ8YZ7d5zi74j6F/pxvnk7PJGygctl3LC86in/6DwZpjxPTx I2S/vwoydU2Z0wfN9VTx9JdR4F4pphrEJ0EukYkH0+QwgTkvGReJqS3AA1zi4L4OJ0M18xnuBW/6 592ULW4vfh/b1HrXegYtA3cm/DwdU6xqS1kZAplbQ2QjYLkjiU0LQFG/kzylkBW6elFFgxvixKHD +ndZqoQq0JFb5sY5yvsuaKnQYvhP+274nM+117vLjWiTA8zC3e5qTjAEzQR26Rr0dPOgWImrJASn HPpo89VhQ79BRQQ5y0H9asyhHPHrk1fOl/Hbtww=
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
X-Recommended-Action: accept
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/PRkiOcN6j5_Lt3R6Yo8hfiymBRY>
Cc: 'secdir' <secdir@ietf.org>, draft-ietf-kitten-krb-auth-indicator.all@ietf.org, "'Kinder, Nathan'" <nkinder@redhat.com>, kitten@ietf.org, 'IESG' <iesg@ietf.org>
Subject: Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 22:34:59 -0000

On Thursday, January 5, 2017 12:40 PM, Nathaniel McCallum wrote:

>> What is supposed to happen if the outside Authorization Data type is set to
>> 97 instead of 96? Should that be specified somewhere? The text says:
>>
>>    Authorization data elements of type AD-AUTHENTICATION-INDICATOR MUST
>>    be included in an AD-CAMMAC container so that their contents can be
>>    verified as originating from the KDC.
>>
>> That's a fine constraint for the sender, but what about receivers?
>
> 5.  Security Considerations
>
>   ... Application servers MUST validate the AD-CAMMAC container before
>   making authorization decisions based on AD-AUTHENTICATION-INDICATOR
>   elements.  Application servers MUST NOT make authorization decisions
>   based on AD-AUTHENTICATION-INDICATOR elements which appear outside of
>   AD-CAMMAC containers. ...

You are right, and I was confused. 

As far as I am concerned, the draft is fine and ready for publication. The "reserved number" section and the additional paragraph in the security consideration addressed the concerned that I raised in the initial review.

-- Christian Huitema