[secdir] Secdir review of draft-ietf-kitten-rfc4402bis-01
Charlie Kaufman <charliekaufman@outlook.com> Sun, 29 November 2015 02:04 UTC
Return-Path: <charliekaufman@outlook.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BFF01B394D; Sat, 28 Nov 2015 18:04:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZGRQVtPjSlSx; Sat, 28 Nov 2015 18:04:32 -0800 (PST)
Received: from BAY004-OMC1S27.hotmail.com (bay004-omc1s27.hotmail.com [65.54.190.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A3971B394B; Sat, 28 Nov 2015 18:04:32 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com ([65.54.190.60]) by BAY004-OMC1S27.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sat, 28 Nov 2015 18:04:32 -0800
Received: from CY1PR17MB0425.namprd17.prod.outlook.com (10.163.253.19) by CY1PR17MB0427.namprd17.prod.outlook.com (10.163.253.21) with Microsoft SMTP Server (TLS) id 15.1.331.20; Sun, 29 Nov 2015 02:04:31 +0000
Received: from CY1PR17MB0425.namprd17.prod.outlook.com ([10.163.253.19]) by CY1PR17MB0425.namprd17.prod.outlook.com ([10.163.253.19]) with mapi id 15.01.0331.023; Sun, 29 Nov 2015 02:04:31 +0000
From: Charlie Kaufman <charliekaufman@outlook.com>
To: "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Secdir review of draft-ietf-kitten-rfc4402bis-01
Thread-Index: AQHRKkiPf2hCv2uv20KUhWNcoBRuhw==
Date: Sun, 29 Nov 2015 02:04:30 +0000
Message-ID: <CY1PR17MB0425B9E2FA8C66DEE1E3C313DF010@CY1PR17MB0425.namprd17.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=outlook.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [JOFqX80zypyu7SiO38h+v06C4UO+/jb8]
x-microsoft-exchange-diagnostics: 1; CY1PR17MB0427; 23:l0o+TPsI2GyrEpcWX3C6dixzJtwna2LrsQb4q4/rPRlzBjFoFfOeROz3sqcAJ0UrCkU/ViF5S6XiOHawmaoqTC4EIRZpP8SSsOJ6pKCEn63kUXmeJ2mJqTdJY0KRh+4gqcspc4dA57K+yyoFmGMYBZ4n73obrp02rQTiayU9CnrBZM+zVYfaiNlmrGRzui1OqyefdSc9MEk45RZSXCeZ9g==; 5:4pIL4m8fxHGZ0KjnZviOanY3I81dRL04W45v9tA3wN23xR6LE4jtwx2cvF5gKX/5cj54OKeb5Up3eoXUlAjhM91YJNYkW6nmXOBpbmpvBk2KXSeU/CbDNwzIZQBdkStKphoOqxXdZOl9mfCby6LK+Q==; 24:rExTbedclgaOeDYemih5dbqSiGC5+ulUwzCb0l54u+SeZUXJK7PZ5qTlf/Ev3JbvQ2+mC7JclBsBIf+ykQ6zM4YfHeKJEF4JbiBF0WtZWYg=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR17MB0427;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(82015046); SRVR:CY1PR17MB0427; BCL:0; PCL:0; RULEID:; SRVR:CY1PR17MB0427;
x-forefront-prvs: 0775716B9D
x-forefront-antispam-report: SFV:NSPM; SFS:(7070004)(98900002); DIR:OUT; SFP:1901; SCL:1; SRVR:CY1PR17MB0427; H:CY1PR17MB0425.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR17MB0425B9E2FA8C66DEE1E3C313DF010CY1PR17MB0425namp_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Nov 2015 02:04:30.9092 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR17MB0427
X-OriginalArrivalTime: 29 Nov 2015 02:04:32.0475 (UTC) FILETIME=[49CFB2B0:01D12A4A]
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/k9tOtOl9CsSS87yZwub9pQ2Xs_Q>
Cc: "draft-ietf-kitten-rfc4402bis.all@tools.ietf.org" <draft-ietf-kitten-rfc4402bis.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: [secdir] Secdir review of draft-ietf-kitten-rfc4402bis-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Nov 2015 02:04:34 -0000
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. Document
editors and WG chairs should treat these comments just like any other last
call comments.
This is effectively a one byte change to RFC4402 to correct for the fact that the deployed implementations do not match the current spec. While it's open, there is also the addition of some sample data to assure the problem won't happen again (or at least if it does, the sample data will indicate the correct interpretation).
RFC4402 was already covering a detail of the Kerberos V5 design that probably should have been folded into another RFC rather than getting its own, so this change is truly covering a small detail (albeit one the affects interoperability of implementations).
Note that this spec defines a PRF function in what today would be considered a non-standard way. But the changed spec will reflect the state of the deployed base and there are no known cryptographic weaknesses in the algorithm specified here.
--Charlie
- [secdir] Secdir review of draft-ietf-kitten-rfc44… Charlie Kaufman