Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04
Nathaniel McCallum <npmccallum@redhat.com> Thu, 05 January 2017 20:39 UTC
Return-Path: <nmccallu@redhat.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ECE6129415 for <secdir@ietfa.amsl.com>; Thu, 5 Jan 2017 12:39:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.421
X-Spam-Level:
X-Spam-Status: No, score=-1.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mtdOKnwuMgQL for <secdir@ietfa.amsl.com>; Thu, 5 Jan 2017 12:39:39 -0800 (PST)
Received: from mail-it0-f41.google.com (mail-it0-f41.google.com [209.85.214.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68F361293F9 for <secdir@ietf.org>; Thu, 5 Jan 2017 12:39:37 -0800 (PST)
Received: by mail-it0-f41.google.com with SMTP id x2so914168itf.1 for <secdir@ietf.org>; Thu, 05 Jan 2017 12:39:37 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Bcya9tiKOzoC4numKkh8Qtikzk4BmNGvNbSS7DFiASc=; b=agW+fxXwfVfYeCf0lZ1X964O2d0m56lYPKTe6WakrKQC4SfNAHtipeI6EPpzpEln6x +oNEXTC2FKHGHCp8DBL4gOnCcyWjX08jU9YUzBfnv6a0lNenI4LIhq1YP5EPNA1wBDSW /YqhYv1f4hqjT1Pn90mhdsUi7a0ce8Y4Rs5V16qizlpLukoBq1Ufg3xYQx6Y2HERXKPf ypHalNVmBQ/TFRi+/+fOCrFbLrQl8zjLGC1H488gJQJXD29WXlQwk6sYgYjvO4fhmYJV g9Sr8KXdqhUqe0IQq30SrVqARGzxOiwM5iL0UOlSl+ahgY/Gy0ohJPusZrWAysvKIRYg Inbw==
X-Gm-Message-State: AIkVDXKjOlodr24jXJmaOMzheB6bDv+7Peb04xboa3xjLgoSHFEyTgMKME22JLuZz0VdvzUprxdvFij3+pzpNOHo
X-Received: by 10.36.203.194 with SMTP id u185mr6954747itg.93.1483648776660; Thu, 05 Jan 2017 12:39:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.34.195 with HTTP; Thu, 5 Jan 2017 12:39:36 -0800 (PST)
In-Reply-To: <042f01d26790$e936a5f0$bba3f1d0$@huitema.net>
References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net> <20170103062001.GN8460@kduck.kaduk.org> <00c901d26766$566e9ae0$034bd0a0$@huitema.net> <20170105194728.GU8460@kduck.kaduk.org> <042f01d26790$e936a5f0$bba3f1d0$@huitema.net>
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Thu, 05 Jan 2017 15:39:36 -0500
Message-ID: <CAOASepOE2RHGoZre7g6xswX56AUPZJfPMkksHWt7rwBo6_C-sw@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/VCEmKEb5O4Nwc1e3Vh0YygMIZU4>
Cc: secdir <secdir@ietf.org>, draft-ietf-kitten-krb-auth-indicator.all@ietf.org, "Kinder, Nathan" <nkinder@redhat.com>, kitten@ietf.org, IESG <iesg@ietf.org>
Subject: Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 20:39:40 -0000
On Thu, Jan 5, 2017 at 3:18 PM, Christian Huitema <huitema@huitema.net> wrote: > On Thursday, January 5, 2017 11:47 AM, Benjamin Kaduk wrote: >> >> Thanks for finding the new document -- I was going to send you a pointer >> today to confirm that it addressed your concerns, but you beat me to it. > > Blame Tero Kivinen. He sent me a reminder this morning. > >>> One point, though. The new section 4 states: >>> >>> o The table in Section 5.2.6 of RFC 4120 [RFC4120] is updated to map >>> the ad-type 97 to "DER encoding of AD-AUTHENTICATION-INDICATOR". >>> >>> Should that not be "DER encoding of AD-AUTHENTICATION-INDICATOR wrapped > in a >>> CAMMAC container"? >> >> I don't think so, but will loop in the WG to confirm. >> The ad-type should indicate what is immediately inside the next encoding >> layer of the ad-data. So a Ticket might have an AuthorizationData that >> contains ad-type 1 (AD-IF-RELEVANT), that itself contains > AuthorizationData >> with ad-type 96 (AD-CAMMAC), that in turn contains AuthorizationData with >> ad-type 97 (AD-AUTHENTICATION-INDICATOR). So, 97 should appear only at >> the lowest level, and correspond to ad-data that's just the >> AD-AUTHENTICATION-INDICATOR itself. > > OK, I get that now. It was not entirely obvious from reading the text. > > What is supposed to happen if the outside Authorization Data type is set to > 97 instead of 96? Should that be specified somewhere? The text says: > > Authorization data elements of type AD-AUTHENTICATION-INDICATOR MUST > be included in an AD-CAMMAC container so that their contents can be > verified as originating from the KDC. > > That's a fine constraint for the sender, but what about receivers? 5. Security Considerations ... Application servers MUST validate the AD-CAMMAC container before making authorization decisions based on AD-AUTHENTICATION-INDICATOR elements. Application servers MUST NOT make authorization decisions based on AD-AUTHENTICATION-INDICATOR elements which appear outside of AD-CAMMAC containers. ...
- [secdir] SECDIR review of draft-ietf-kitten-krb-a… Christian Huitema
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Christian Huitema
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Benjamin Kaduk
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Christian Huitema
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Benjamin Kaduk
- Re: [secdir] [kitten] SECDIR review of draft-ietf… Greg Hudson
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Christian Huitema
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Nathaniel McCallum
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Christian Huitema