IETF Logo Mail Archive

[SPKM] RE: Comments on draft-zhu-pku2u-01.txt

"Liqiang(Larry) Zhu" <lzhu@windows.microsoft.com> Sun, 18 March 2007 23:43 UTC

Return-path: <spkm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HT520-000475-JZ; Sun, 18 Mar 2007 19:43:20 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HT51z-00045Z-OV for spkm@ietf.org; Sun, 18 Mar 2007 19:43:19 -0400
Received: from mailc.microsoft.com ([131.107.115.214] helo=smtp.microsoft.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HT51w-0000QI-AX for spkm@ietf.org; Sun, 18 Mar 2007 19:43:19 -0400
Received: from tk1-exhub-c103.redmond.corp.microsoft.com (157.56.116.114) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.0.685.24; Sun, 18 Mar 2007 16:43:13 -0700
Received: from win-imc-01.wingroup.windeploy.ntdev.microsoft.com (157.54.0.39) by tk1-exhub-c103.redmond.corp.microsoft.com (157.56.116.114) with Microsoft SMTP Server id 8.0.685.25; Sun, 18 Mar 2007 16:43:13 -0700
Received: from WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com ([157.54.62.25]) by win-imc-01.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3790.3953); Sun, 18 Mar 2007 16:43:13 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 18 Mar 2007 16:43:06 -0700
Message-ID: <CAAAEFE273EAD341A4B02AAA9CA6F733051CAA9F@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <Pine.LNX.4.33L.0703181912540.1982-100000@minbar.fac.cs.cmu.edu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Comments on draft-zhu-pku2u-01.txt
Thread-Index: AcdptI8U7IB3T71PTW+fKe4ZaC+ALgAAKfqg
References: <20070318122026.GJ22445@Sun.COM> <Pine.LNX.4.33L.0703181912540.1982-100000@minbar.fac.cs.cmu.edu>
From: "Liqiang(Larry) Zhu" <lzhu@windows.microsoft.com>
To: Jeffrey Hutzelman <jhutz@cmu.edu>, Nicolas Williams <Nicolas.Williams@sun.com>
X-OriginalArrivalTime: 18 Mar 2007 23:43:13.0780 (UTC) FILETIME=[31BDC340:01C769B7]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a8a20a483a84f747e56475e290ee868e
Cc: spkm@ietf.org, Michael.Eisler@netapp.com, Olga Kornievskaia <aglo@citi.umich.edu>, kitten@lists.ietf.org, andros@citi.umich.edu
Subject: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org

The intention of the text in -01 is that if a KRB-ERROR message should
be generated according to rfc4120, then GSS_S_CONTINUE_NEEDED MUST be
returned. 
Based on the discussion here, the draft should acknowledge cases where
there is an error that is not a KDC error per RFC4120, say for example
the acceptor runs out of memory.
 
Jeffrey Hutzelman wrote:
> More generally, a mechanism should return GSS_S_CONTINUE_NEEDED in
exactly
> those cases where the peer is expected to send another token, and no
> others.
Would it be preferable to return a GSS_S_CONTINUE_NEEDED and a KRB_ERROR
in cases where the client is not expected to send another token, for
example in the case of a policy error? The error message contains useful
information for trouble-shooting. 	

I would not recommend returning an error token when the returned status
is NOT GSS_S_CONTINUE_NEEDED, in that cases, most apps would simply
throw that away.
--larry
-----Original Message-----
From: Jeffrey Hutzelman [mailto:jhutz@cmu.edu] 
Sent: Sunday, March 18, 2007 4:24 PM
To: Nicolas Williams
Cc: Liqiang(Larry) Zhu; Olga Kornievskaia; Michael.Eisler@netapp.com;
andros@citi.umich.edu; kitten@lists.ietf.org; spkm@ietf.org
Subject: Re: Comments on draft-zhu-pku2u-01.txt

On Sun, 18 Mar 2007, Nicolas Williams wrote:

> On Sat, Mar 17, 2007 at 03:04:39AM -0400, Jeffrey Hutzelman wrote:
> > On Fri, 16 Mar 2007, Liqiang(Larry) Zhu wrote:
> >
> > > 6. User to User when applied by server policy
> > >
> > >    In the case that the client application doesn't know that a
service
> > >    requires user-to-user authentication, and requests and receives
a
> > >    conventional KRB_AP_REP, the client will send the KRB_AP_REP
> > >    request, and the server will respond with a KRB_ERROR token as
> > >    described in RFC1964, with a msg-type of
> > >    KRB_AP_ERR_USER_TO_USER_REQUIRED (0x45). The server may
optionally
> > >    pass the TGT in the data field of this error message. In
response to
> > >    this error, the initiator sets flags and returns a
> > >    GSS_C_CONTINUE_NEEDED so that the next round uses the mechanism
> > >    described in section 4.
> >
> > While this is a token carrying a KRB_ERROR, it's not an "error
token" in
> > the sense that we're talking about.  In the context of Olga's and my
> > comments, an "error token" is one which causes the peer to abort
context
> > establishment and return an error status to its caller.  Such a
token
> > should never be returned with GSS_S_CONTINUE_NEEDED, because no
reply is
> > expected.
>
> The quoted text does not call this an error token.

No, it doesn't, but check the current thread.  The current PKU2U
document
indicates that "In all cases, GSS_Accept_security_context returns
GSS_S_CONTINUE_NEEDED... a KRB_ERROR if there was an error...".  Olga's
reading and mine is that this in some cases requires reinturning
GSS_S_CONTINUE_NEEDED with an output token that is an "error token" as I
define it above; that is, one which the initiator is expected to handle
by
aborting the context establishment (Olga didn't use the phrase "error
token", but I did).

Larry quoted the text from section 6 of the Kerberos U2U as a
counterexample to my argument that when an error token is emitted, it
should always come with a real error code, not GSS_S_CONTINUE_NEEDED.
But
the quoted text is not actually a counterexample, because although the
token described containes a KRB-ERROR, it is not an "error token"; it is
intended to trigger the U2U mechanism, which will result in another
context token.


The case described on page 5 of PKU2U-01 describes a token produced when
"there was an error while processing the request or the local policy
prevented a ticket from being issued."  These are situations in which
context establishment cannot continue, and the error token is intended
to
cause GSS_Init_sec_context to return an appropriate failure code.  Since
no further tokens are expected, the correct result code is something
other
than GSS_S_CONTINUE_NEEDED.

More generally, a mechanism should return GSS_S_CONTINUE_NEEDED in
exactly
those cases where the peer is expected to send another token, and no
others.

-- Jeff



_______________________________________________
SPKM mailing list
SPKM@ietf.org
https://www1.ietf.org/mailman/listinfo/spkm

v2.23.0 | Report a Bug | By Email