IETF Logo Mail Archive

RE: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt

"Liqiang(Larry) Zhu" <lzhu@windows.microsoft.com> Fri, 06 April 2007 07:28 UTC

Return-path: <spkm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HZisO-0007YQ-Lk; Fri, 06 Apr 2007 03:28:52 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HZisM-0007YH-MZ for spkm@ietf.org; Fri, 06 Apr 2007 03:28:50 -0400
Received: from mailb.microsoft.com ([131.107.115.215] helo=smtp.microsoft.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HZisJ-0001uz-7x for spkm@ietf.org; Fri, 06 Apr 2007 03:28:50 -0400
Received: from TK5-EXHUB-C101.redmond.corp.microsoft.com (157.54.70.76) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.0.685.24; Fri, 6 Apr 2007 00:28:46 -0700
Received: from win-imc-01.wingroup.windeploy.ntdev.microsoft.com (157.54.0.39) by TK5-EXHUB-C101.redmond.corp.microsoft.com (157.54.70.76) with Microsoft SMTP Server id 8.0.685.25; Fri, 6 Apr 2007 00:28:46 -0700
Received: from WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com ([157.54.62.24]) by win-imc-01.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 6 Apr 2007 00:28:46 -0700
x-mimeole: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt
Date: Fri, 06 Apr 2007 00:28:27 -0700
Message-ID: <CAAAEFE273EAD341A4B02AAA9CA6F7330560FD3D@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <46156FB4.4070007@citi.umich.edu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
thread-topic: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt
thread-index: Acd4BGUsFkcuKA6FRNmwF8cjiYBM3AAGKRiw
References: <46156FB4.4070007@citi.umich.edu>
From: "Liqiang(Larry) Zhu" <lzhu@windows.microsoft.com>
To: Olga Kornievskaia <aglo@citi.umich.edu>, kitten@lists.ietf.org, spkm@ietf.org
X-OriginalArrivalTime: 06 Apr 2007 07:28:46.0262 (UTC) FILETIME=[363BC560:01C7781D]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 00e94c813bef7832af255170dca19e36
Cc:
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org

Olga Kornievskaia wrote:
> Is PKU2U meant to be a GSS API mechanism or a standalone security 
> protocol? The abstract seems to imply that pku2u could be a stand 
> alone protocol. However, the 1st sentence of the Section 5 says that 
> pku2u "can only be used in conjunction with GSS-API".

PKU2U as defined here requires the use of GSS-API. I do not know if you
have objections to this requirement.

> First, I hope that the 1st sentence refers to "tokens" not just the 
> 1st
> (AS_REQ) token. As its written, it says that AS_REQ token is framed 
> but the AS_REP token is not which doesn't make sense.

Your understanding is correct. Only the first message has the framing.
This is consistent with RFC4121 and RFC4178.

> Second, what does the "subsequent context establishment tokens" refer 
> to? AP_REP/AP_REQ or a something else (ie. , new pku2u sessions)?
> Furthermore, there shouldn't be any unframed tokens in GSS-API
mechanism.

Only the first message has the token framing. This is how all other
GSS-API mechanisms work today.

--larry

-----Original Message-----
From: Olga Kornievskaia [mailto:aglo@citi.umich.edu] 
Sent: Thursday, April 05, 2007 2:53 PM
To: kitten@lists.ietf.org; spkm@ietf.org
Subject: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt

Is PKU2U meant to be a GSS API mechanism or a stand alone security 
protocol? The abstract seems to imply that pku2u could be a stand alone 
protocol. However, the 1st sentence of the Section 5 says that pku2u 
"can only be used in conjunction with GSS-API".

In Section 5,

  The syntax of the initial context establishment token follows the
  initialContextToken syntax defined in Section 3.1 of [RFC2743].
  PKU2U is identified by the Objection Identifier (OID) id-kerberos-
  pku2u.

     id-kerberos-pku2u ::=
       { iso(1) org(3) dod(6) internet(1) security(5) kerberosV5(2)
         pku2u(7) }

  Subsequent context establishment tokens MUST NOT be encapsulated in
  this GSS-API generic token framing.


First, I hope that the 1st sentence refers to "tokens" not just the 1st 
(AS_REQ) token. As its written, it says that AS_REQ token is framed but 
the AS_REP token is not which doesn't make sense.

Second, what does the "subsequent context establishment tokens" refer 
to? AP_REP/AP_REQ or a something else (ie. , new pku2u sessions)? 
Furthermore, there shouldn't be any unframed tokens in GSS-API
mechanism.

I propose to remove this sentence from the draft. What would be left is 
the description how to frame context establishment tokens 
(AS_REQ/AS_REP) and then the rest are treated as per-message token 
according to rfc4121.





_______________________________________________
SPKM mailing list
SPKM@ietf.org
https://www1.ietf.org/mailman/listinfo/spkm


_______________________________________________
SPKM mailing list
SPKM@ietf.org
https://www1.ietf.org/mailman/listinfo/spkm

v2.23.0 | Report a Bug | By Email