[SPKM] Re: Comments on draft-zhu-pku2u-01.txt
Jeffrey Hutzelman <jhutz@cmu.edu> Fri, 16 March 2007 21:33 UTC
Return-path: <spkm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HSK3U-000196-45; Fri, 16 Mar 2007 17:33:44 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HSK3S-00018t-BM; Fri, 16 Mar 2007 17:33:42 -0400
Received: from currant.srv.cs.cmu.edu ([128.2.194.193]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HSK3Q-0001yi-2Q; Fri, 16 Mar 2007 17:33:42 -0400
Received: from SIRIUS.FAC.CS.CMU.EDU (SIRIUS.FAC.CS.CMU.EDU [128.2.209.170]) (authenticated bits=0) by currant.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id l2GLXaNt003239 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 16 Mar 2007 17:33:37 -0400 (EDT)
Date: Fri, 16 Mar 2007 17:33:35 -0400
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Olga Kornievskaia <aglo@citi.umich.edu>, "Liqiang(Larry) Zhu" <lzhu@windows.microsoft.com>
Message-ID: <729D2796944018A823D6E75A@sirius.fac.cs.cmu.edu>
In-Reply-To: <45FB0398.3080406@citi.umich.edu>
References: <CAAAEFE273EAD341A4B02AAA9CA6F73304D44CE4@WIN-MSG-20.wingroup.win deploy.ntdev.microsoft.com> <45FB0398.3080406@citi.umich.edu>
Originator-Info: login-token=Mulberry:013R2YmUeFDQ0paBAaEJvICHSPz8RkURFKksb+E50=; token_authority=postmaster@andrew.cmu.edu
X-Mailer: Mulberry/3.1.6 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc: kitten@lists.ietf.org, andros@citi.umich.edu, Michael.Eisler@netapp.com, spkm@ietf.org, Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: [SPKM] Re: Comments on draft-zhu-pku2u-01.txt
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org
On Friday, March 16, 2007 04:52:40 PM -0400 Olga Kornievskaia <aglo@citi.umich.edu> wrote: > In all cases, GSS_Accept_security_context() returns > GSS_S_CONTINUE_NEEDED status [RFC2743] and the output token is a > KRB_AS_REP message if a ticket was created or a KRB_ERROR message if > there was an error while processing the request or the local policy > prevented a ticket from being issued. > > If the acceptor returns GSS_S_CONTINUE_NEEDED in the case of an error, > what happens when the initiator after processing the error token decides > to stop, will the server just hang there in the continue needed state? This is a good point. GSS_S_CONTINUE_NEEDED indicates that it will be necessary to make the call again with another token provided by the peer. When GSS_Init_sec_context or GSS_Accept_sec_context emits an error token, it should also return an appropriate error status, not GSS_S_CONTINUE_NEEDED. > Token ids are defined for KRB_AS_REQ and KRB_AS_REP but not for KRB_ERROR? The token ID for KRB_ERROR is defined in RFC 4121. > Perhaps last paragraph of Section 6 can have a more detailed explanation > that doesn't require the user to go search for a different draft to find > our that AP_REQ should carry TYPED_DATA of type TD_IAKERB_FINISHED. I'm > sure i'm missing something but why is there a need to tie AS_REQ/REP to > AP_REQ/REP no such ties exist in original Kerberos message flow? I'm not entirely sure what you're talking about here. The AS exchange is tied to a later AP exchange via the session key; this is true whether the AS exchange results in a TGT or directly in some other service ticket. However, this does not protect the integrity of the plaintext portion of the AS exchange, and in particular of PA-DATA contained in the AS-REQ, and this is generally considered to be a shortcoming of the current AS exchange. While this is likely to be fixed in the next update to the Kerberos protocol spec (see draft-ietf-krb-wg-rfc1510ter), it is also possible for a higher layer to perform an after-the-fact integrity check of the entire AS exchange, as IAKERB does. Whether this is necessary or a good idea is, of course, up for discussion. -- Jeff _______________________________________________ SPKM mailing list SPKM@ietf.org https://www1.ietf.org/mailman/listinfo/spkm
- [SPKM] FW: I-D ACTION:draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Nicolas Williams
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Nicolas Williams
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Sam Hartman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Olga Kornievskaia
- Re: [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] RE: FW: I-D ACTION:draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt Olga Kornievskaia
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- RE: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Liqiang(Larry) Zhu
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex