Re: [secdir] Review of draft-lha-gssapi-delegate-policy-04
Sam Hartman <hartmans-ietf@mit.edu> Tue, 01 December 2009 22:53 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D7CF3A6783; Tue, 1 Dec 2009 14:53:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.438
X-Spam-Level:
X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[AWL=-0.173, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VFjJegtjoOK; Tue, 1 Dec 2009 14:53:18 -0800 (PST)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 7DCC63A6931; Tue, 1 Dec 2009 14:53:17 -0800 (PST)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 9A046202F5; Tue, 1 Dec 2009 17:53:09 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 69EDC427D; Tue, 1 Dec 2009 17:52:54 -0500 (EST)
To: Hilarie Orman <hilarie@purplestreak.com>
References: <200912010218.nB12IvHB022301@fermat.rhmr.com>
From: Sam Hartman <hartmans-ietf@mit.edu>
Date: Tue, 01 Dec 2009 17:52:54 -0500
In-Reply-To: <200912010218.nB12IvHB022301@fermat.rhmr.com> (Hilarie Orman's message of "Mon\, 30 Nov 2009 19\:18\:57 -0700")
Message-ID: <tslfx7ugvcp.fsf@mit.edu>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: iesg@ietf.org, hartmans-ietf@mit.edu, lha@apple.com, secdir@ietf.org
Subject: Re: [secdir] Review of draft-lha-gssapi-delegate-policy-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 22:53:19 -0000
>>>>> "Hilarie" == Hilarie Orman <hilarie@purplestreak.com> writes: Hilarie> The document describes an augmentation of the semantics Hilarie> of the GSSAPI service delegation policy. It allows a Hilarie> client to ask if there is a policy allowing delegation of Hilarie> the service. I'd say it's more like the draft provides a mechanism for a client to request that the decision about whether to delegate credentials to the service be made by the GSS-API implementation and the local platform rather than by the client itself. Previously, the client needed to either decide not to delegate or to always delegate. The local platform is often in a much better position to make a trust decision about a service in an infrastructure environment than the client application. Hilarie> This is a something of a policy band-aid. The API Hilarie> currently supports only unconditional delegation. This Hilarie> change allows a client to learn if the local policy Hilarie> supports it. The Hilarie> decision might involve tier of Kerberos Hilarie> inter-realm servers, and the API is charged with Hilarie> enforcing the policy of assuring that all tickets agree Hilarie> that delegation is permitted. Hilarie> The change is minimal, involving no over-the-wire Hilarie> changes, but I imagine it is only part of the tip of a Hilarie> policy iceberg. Well, the over-the-wire changes were made years ago. However, yes, this does represent an evolutionary step and there are additional steps in progress. See http://k5wiki.kerberos.org/wiki/Projects/Services4User as an example of a finer grain way of expressing similar policy in the GSS-API Kerberos mechanism. (It's not clear how much of that work will be or requires standardization in the IETF.) Hilarie> If clients are to make policy decisions Hilarie> about something as complex as delegation, ultimately they Hilarie> will need more specific information, I would imagine. Again, this is about removing that decision from client applications and placing it in the hands of the platform/infrastructure. Hilarie> The security of the mechanism depends on how wise the Hilarie> administrators are when configuring the delegation Hilarie> policy, but the clients have no insight into how the Hilarie> decision was reached. Hilarie> I recommend that the security considerations section make Hilarie> some comment about why a client would or would not make Hilarie> use of this new mechanism. Perhaps it should be avoided Hilarie> for security-critical services ("don't delegate, even if Hilarie> it is allowed")? Or should it always be used? Avoiding this for security critical services doesn't make sense. In general, what is being delegated is permission to act as some given principal when talking to *any* service. So, it wouldn't make much sense to say that the audio service is permitted to act as any delegated user, but some security critical service is not. Giving advice on this topic is quite difficult, because the value of delegation to a given service depends on a lot of implementation details (like whether that service will need to access file servers or the like) which a portable application simply cannot know. It's probably reasonable to use this mechanism exceptt when the application has information that could allow it to make a better decision on its own.
- [secdir] Review of draft-lha-gssapi-delegate-poli… Hilarie Orman
- Re: [secdir] Review of draft-lha-gssapi-delegate-… Sam Hartman