[TLS] Kerberos + ECDHE in TLS (v02)
Rick van Rein <rick@openfortress.nl> Fri, 11 March 2016 13:48 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A3E712D6CB for <tls@ietfa.amsl.com>; Fri, 11 Mar 2016 05:48:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDlFHH1hX_R0 for <tls@ietfa.amsl.com>; Fri, 11 Mar 2016 05:48:00 -0800 (PST)
Received: from lb1-smtp-cloud2.xs4all.net (lb1-smtp-cloud2.xs4all.net [194.109.24.21]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF49612D6C7 for <tls@ietf.org>; Fri, 11 Mar 2016 05:47:55 -0800 (PST)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud2.xs4all.net with ESMTP id Udnq1s00m10HQrX01dnrfZ; Fri, 11 Mar 2016 14:47:52 +0100
Message-ID: <56E2CC85.1000209@openfortress.nl>
Date: Fri, 11 Mar 2016 14:47:49 +0100
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/tk6tA-2dy27fsASSuYOE3tXKJ4s>
Subject: [TLS] Kerberos + ECDHE in TLS (v02)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2016 13:48:06 -0000
Hello, I revised my TLS-KDH draft to include comments from this group. Thanks! The changes can be summarised as: * Integration with "normal" X.509 certificates; client may use krb5 certificate * Kerberos Ticket as X.509 pubkeyinfo; Authenticator as signature mechanism * Define TLS-standardised hashes as ChecksumTypes for use in an Authenticator * Moved TicketRequestFlags to a TLS Extension; negotiation with min/max flags * Taken out protocol-bound DH; this saves about 75% of the complexity * Pre-master secret now incorporates Kerberos session key and DH shared secret * Added descriptions of how to support backend servers in Ticket AuthData I am aware that embedding Kerberos in an X.509 certificate is uncommon; but it simplifies the rest incredibly, and suddenly everything "clicks" smoothly into the rest of TLS. I therefore think this form of "tunneling" certifying information is worth considering. Is this something that could be discussed at IETF 95? Cheers, -Rick > A new version of I-D, draft-vanrein-tls-kdh-02.txt > has been successfully submitted by Rick van Rein and posted to the > IETF repository. > > Name: draft-vanrein-tls-kdh > Revision: 02 > Title: TLS-KDH: Kerberos + Diffie-Hellman in TLS > Document date: 2016-03-11 > Group: Individual Submission > Pages: 23 > URL: https://www.ietf.org/internet-drafts/draft-vanrein-tls-kdh-02.txt > Status: https://datatracker.ietf.org/doc/draft-vanrein-tls-kdh/ > Htmlized: https://tools.ietf.org/html/draft-vanrein-tls-kdh-02 > Diff: https://www.ietf.org/rfcdiff?url2=draft-vanrein-tls-kdh-02 > > Abstract: > This specification defines a TLS message flow with Kerberos-based > (mutual) authentication, binding in Elliptic-Curve Diffie-Hellman to > achieve Forward Secrecy for the session.
- [TLS] Kerberos + ECDHE in TLS (v02) Rick van Rein