Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04

Nathaniel McCallum <npmccallum@redhat.com> Thu, 05 January 2017 20:39 UTC

Return-Path: <nmccallu@redhat.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ECE6129415 for <secdir@ietfa.amsl.com>; Thu, 5 Jan 2017 12:39:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.421
X-Spam-Level:
X-Spam-Status: No, score=-1.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mtdOKnwuMgQL for <secdir@ietfa.amsl.com>; Thu, 5 Jan 2017 12:39:39 -0800 (PST)
Received: from mail-it0-f41.google.com (mail-it0-f41.google.com [209.85.214.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68F361293F9 for <secdir@ietf.org>; Thu, 5 Jan 2017 12:39:37 -0800 (PST)
Received: by mail-it0-f41.google.com with SMTP id x2so914168itf.1 for <secdir@ietf.org>; Thu, 05 Jan 2017 12:39:37 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Bcya9tiKOzoC4numKkh8Qtikzk4BmNGvNbSS7DFiASc=; b=agW+fxXwfVfYeCf0lZ1X964O2d0m56lYPKTe6WakrKQC4SfNAHtipeI6EPpzpEln6x +oNEXTC2FKHGHCp8DBL4gOnCcyWjX08jU9YUzBfnv6a0lNenI4LIhq1YP5EPNA1wBDSW /YqhYv1f4hqjT1Pn90mhdsUi7a0ce8Y4Rs5V16qizlpLukoBq1Ufg3xYQx6Y2HERXKPf ypHalNVmBQ/TFRi+/+fOCrFbLrQl8zjLGC1H488gJQJXD29WXlQwk6sYgYjvO4fhmYJV g9Sr8KXdqhUqe0IQq30SrVqARGzxOiwM5iL0UOlSl+ahgY/Gy0ohJPusZrWAysvKIRYg Inbw==
X-Gm-Message-State: AIkVDXKjOlodr24jXJmaOMzheB6bDv+7Peb04xboa3xjLgoSHFEyTgMKME22JLuZz0VdvzUprxdvFij3+pzpNOHo
X-Received: by 10.36.203.194 with SMTP id u185mr6954747itg.93.1483648776660; Thu, 05 Jan 2017 12:39:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.34.195 with HTTP; Thu, 5 Jan 2017 12:39:36 -0800 (PST)
In-Reply-To: <042f01d26790$e936a5f0$bba3f1d0$@huitema.net>
References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net> <20170103062001.GN8460@kduck.kaduk.org> <00c901d26766$566e9ae0$034bd0a0$@huitema.net> <20170105194728.GU8460@kduck.kaduk.org> <042f01d26790$e936a5f0$bba3f1d0$@huitema.net>
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Thu, 05 Jan 2017 15:39:36 -0500
Message-ID: <CAOASepOE2RHGoZre7g6xswX56AUPZJfPMkksHWt7rwBo6_C-sw@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/VCEmKEb5O4Nwc1e3Vh0YygMIZU4>
Cc: secdir <secdir@ietf.org>, draft-ietf-kitten-krb-auth-indicator.all@ietf.org, "Kinder, Nathan" <nkinder@redhat.com>, kitten@ietf.org, IESG <iesg@ietf.org>
Subject: Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 20:39:40 -0000

On Thu, Jan 5, 2017 at 3:18 PM, Christian Huitema <huitema@huitema.net> wrote:
> On Thursday, January 5, 2017 11:47 AM, Benjamin Kaduk wrote:
>>
>> Thanks for finding the new document -- I was going to send you a pointer
>> today to confirm that it addressed your concerns, but you beat me to it.
>
> Blame Tero Kivinen. He sent me a reminder this morning.
>
>>> One point, though. The new section 4 states:
>>>
>>>    o  The table in Section 5.2.6 of RFC 4120 [RFC4120] is updated to map
>>>       the ad-type 97 to "DER encoding of AD-AUTHENTICATION-INDICATOR".
>>>
>>> Should that not be "DER encoding of AD-AUTHENTICATION-INDICATOR wrapped
> in a
>>> CAMMAC container"?
>>
>> I don't think so, but will loop in the WG to confirm.
>> The ad-type should indicate what is immediately inside the next encoding
>> layer of the ad-data.  So a Ticket might have an AuthorizationData that
>> contains ad-type 1 (AD-IF-RELEVANT), that itself contains
> AuthorizationData
>> with ad-type 96 (AD-CAMMAC), that in turn contains AuthorizationData with
>> ad-type 97 (AD-AUTHENTICATION-INDICATOR).  So, 97 should appear only at
>> the lowest level, and correspond to ad-data that's just the
>> AD-AUTHENTICATION-INDICATOR itself.
>
> OK, I get that now. It was not entirely obvious from reading the text.
>
> What is supposed to happen if the outside Authorization Data type is set to
> 97 instead of 96? Should that be specified somewhere? The text says:
>
>    Authorization data elements of type AD-AUTHENTICATION-INDICATOR MUST
>    be included in an AD-CAMMAC container so that their contents can be
>    verified as originating from the KDC.
>
> That's a fine constraint for the sender, but what about receivers?

5.  Security Considerations

   ... Application servers MUST validate the AD-CAMMAC container before
   making authorization decisions based on AD-AUTHENTICATION-INDICATOR
   elements.  Application servers MUST NOT make authorization decisions
   based on AD-AUTHENTICATION-INDICATOR elements which appear outside of
   AD-CAMMAC containers. ...