headers
Matt Crawford | 3 Apr 2006 17:58
Favicon

Re: Draft SAAG Meeting Minutes

Seen in the SAAG minutes ...

On Mar 29, 2006, at 10:19, Russ Housley wrote:

> Siddharth Bajaj: Dynamic passwords in Kerberos? Has IETF looked at  
> that?
> Sam Hartman: Very interested.  There are drafts for using OTP with
>    Kerberos.

Might there be WG interest in resuming development of draft-ietf-krb- 
wg-hw-auth-03.txt?

               Passwordless Initial Authentication to Kerberos
                        by Hardware Preauthentication
Abstract

     This document specifies an extension to the Kerberos protocol for
     performing initial authentication of a user without using that
     user's long-lived password.  Any "hardware preauthentication"  
method
     may be employed instead of the password, and the key of another
     principal must be nominated to encrypt the returned credential.
Permalink | Reply | 0 comments |
headers
Sam Hartman | 4 Apr 2006 20:24
Picon
Favicon

Re: ICNS 2006: Early Registration Ends April 1

>>>>> "Robert" == Robert Holliday <robholliday <at> isocore.com> writes:

    Robert> The International Conference on Network Security 2006,
    Robert> April 17-19, Reston, Virginia

As far as I can tell, this post is off topic for any IETF list.  Only
ISOC sponsored or endorced conferences may be announced on IETF lists.

Sam Hartman,

Security Area Director
Permalink | Reply | 0 comments |
headers
Simon Josefsson | 5 Apr 2006 01:28

Kerberos V5 over TLS and draft-josefsson-krb-tcp-expansion.txt

We are going to deploy Kerberos V5 over TLS, and I'd like to
standardize the mechanism used within the IETF.  Can I ask the chair
to ask the WG whether it wishes to adopt the following document that
would enable us to achieve that goal?

http://www.ietf.org/internet-drafts/draft-josefsson-krb-tcp-expansion-00.txt

Alternatively, to suggest an approach that would be acceptable for
standardization within the WG.

The background is that because of the little interest in my approach,
I concluded that the WG was not interested in this work.  So I asked
the IESG to publish my approach as an individual standard.  The
response was that it must be standardized by this WG.  I understand
that the WG may have other priorities, but since this is our main
priority standardization wise, and I'd like to move forward, I feel
compelled to ask again.

This work is currently divided into two parts.  The
draft-josefsson-krb-tcp-expansion.txt document doesn't deal with TLS
at all, it is a simple expansion mechanism for Kerberos V5 over TCP.

Andrew has pointed out that some implementations doesn't follow RFC
4120, but I believe that can be handled by an implementation note,
much like the many things in RFC 4120 itself about buggy
implementations.  I can survey in more detail exactly how MIT Kerberos
and Heimdal behave, if that would clarify the situation.  The second
document would simply request IANA to allocate one of the available
expansion slots for Kerberos V5 over TLS.
(Continue reading)

Permalink | Reply | 47 comments |
headers
Jeffrey Hutzelman | 5 Apr 2006 01:55
Picon
Favicon

Re: Kerberos V5 over TLS and draft-josefsson-krb-tcp-expansion.txt

On Wed, 5 Apr 2006, Simon Josefsson wrote:

> The background is that because of the little interest in my approach,
> I concluded that the WG was not interested in this work.  So I asked
> the IESG to publish my approach as an individual standard.  The
> response was that it must be standardized by this WG.

As they should have.  At points in the past where you've brought this up,
it seemed to me there was interest in discussing it, but not enough to
make people drop what they were doing to work on it.  That's fine -- one
of the problems we have is that too much of the active work is being done
by the same small set of people, which means it gets done very slowly.

I was hoping to discuss this work at our meeting in Dallas, but you didn't
seem to be around, so I saw little point in doing so at that time.  That
doesn't mean we can't discuss it here.

> I understand
> that the WG may have other priorities, but since this is our main
> priority standardization wise, and I'd like to move forward, I feel
> compelled to ask again.

Don't just ask, _do_! :-)

Seriously, the best thing you can do to make the work happen is to drive
it.  Getting and responding to feedback and updating the documents, which
you're clearly doing here, is pretty much the way to make things happen.

> This work is currently divided into two parts.  The
> draft-josefsson-krb-tcp-expansion.txt document doesn't deal with TLS
(Continue reading)

Permalink | Reply | 6 comments |
headers
Simon Josefsson | 5 Apr 2006 02:35

Re: Kerberos V5 over TLS and draft-josefsson-krb-tcp-expansion.txt

Jeffrey Hutzelman <jhutz <at> cmu.edu> writes:

> On Wed, 5 Apr 2006, Simon Josefsson wrote:
>
>> The background is that because of the little interest in my approach,
>> I concluded that the WG was not interested in this work.  So I asked
>> the IESG to publish my approach as an individual standard.  The
>> response was that it must be standardized by this WG.
>
> As they should have.  At points in the past where you've brought this up,
> it seemed to me there was interest in discussing it, but not enough to
> make people drop what they were doing to work on it.  That's fine -- one
> of the problems we have is that too much of the active work is being done
> by the same small set of people, which means it gets done very slowly.

Understood.

> I was hoping to discuss this work at our meeting in Dallas, but you didn't
> seem to be around, so I saw little point in doing so at that time.  That
> doesn't mean we can't discuss it here.

Excellent!  I wasn't in Dallas, hopefully I can make it to some future
meeting and possibly explain this further.

>> I understand
>> that the WG may have other priorities, but since this is our main
>> priority standardization wise, and I'd like to move forward, I feel
>> compelled to ask again.
>
> Don't just ask, _do_! :-)
(Continue reading)

Permalink | Reply | 5 comments |
headers
Nicolas Williams | 5 Apr 2006 03:32
Picon

Re: Kerberos V5 over TLS and draft-josefsson-krb-tcp-expansion.txt

On Wed, Apr 05, 2006 at 02:35:22AM +0200, Simon Josefsson wrote:
> Excellent!  I wasn't in Dallas, hopefully I can make it to some future
> meeting and possibly explain this further.

No need to wait that long.  Your draft is fairly small and
self-explanatory.  More importantly, it leaves room for other
extensions.  It's basically close.  Drive some discussion, request a
WGLC and it should get through easily enough.

Nico
--

--
Permalink | Reply | 0 comments |
headers
Jeffrey Hutzelman | 5 Apr 2006 05:27
Picon
Favicon

Re: Kerberos V5 over TLS and draft-josefsson-krb-tcp-expansion.txt


On Wednesday, April 05, 2006 02:35:22 AM +0200 Simon Josefsson 
<jas <at> extundo.com> wrote:
> I believe the document is ready.  Giving people time to review it
> until right before (or after?) the next meeting seem fair.  July 06
> then?

Well, when we believe there are no outstanding issues and the document is 
in shape to be published, we can do a 2-week working group last call. 
Since the majority of IETF work is done on the mailing lists rather than in 
face-to-face meetings, it's not necessary to wait for a meeting to move 
something forward.

However, I can't last-call a document until it is formally a WG work item, 
and I won't when there are known outstanding issues.

> I also think that part can wait.  It is not as critical as the
> expansion mechanism.  If my current TLS expansion is flawed, it is
> simple to allocate another expansion hole for it, for the solution
> that the WG decides on.

I haven't read the latest version of your tcp-expansion document yet.  What 
assignment policy are you proposing for the extension numbers?

>> - resolve the broken-implementations question
>
> Andrew looked at MIT Kerberos, I can test Heimdal.  I believe the
> document above already address this sufficiently, though.

Unfortunately, what you or I alone believe is not all that matters.  This
(Continue reading)

Permalink | Reply | 3 comments |
headers
Nicolas Williams | 5 Apr 2006 08:34
Picon

Comments on draft-josefsson-krb-tcp-expansion.txt

Comments on the I-D:

The document title should probably not mention "IP."  I suggest
"Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges
Over TCP."

The behaviour required by RFC4120 is repeated in more than one place in
this I-D:

 - referenced in the introduction
 - copied in the introduction
 - restated in the first paragraph of section 3
 - partly restated in the third paragraph of section 3

I think that's too much redundancy.  Strike Section 3, paragraphs 1 and 3.

>   This document describe how the high bit is used to implement an
>   expansion mechanism.  This expansion mechanism is intended for
>   features that are specific for the TCP/IP transport.

s/describe/describes/

s,/IP,,

>   Kerberos 5 require Key Distribution Centers ...

s/require/requires/

But then, I'd strike that paragraph entirely (see above).
(Continue reading)

Permalink | Reply | 12 comments |
headers
Simon Josefsson | 5 Apr 2006 10:22

Re: Comments on draft-josefsson-krb-tcp-expansion.txt

Nicolas Williams <Nicolas.Williams <at> sun.com> writes:

> Comments on the I-D:

Thanks for reviewing it!

> The document title should probably not mention "IP."  I suggest
> "Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges
> Over TCP."

Changed, although I changed 'Extended' to 'Expanded', to avoid
confusing this work with the other 'extension' work going on.  If
'extended' reads better, I can change it.

> The behaviour required by RFC4120 is repeated in more than one place in
> this I-D:
>
>  - referenced in the introduction
>  - copied in the introduction
>  - restated in the first paragraph of section 3
>  - partly restated in the third paragraph of section 3
>
> I think that's too much redundancy.  Strike Section 3, paragraphs 1 and 3.

Agreed.

Paragraph 3 of section 3 was not about the RFC 4120 behaviour, though,
it was about how to handle unsupported expansions within this
mechanism.  But I can see how it was read the wrong way, especially
after the excessive redundancy.  That section will probably be
(Continue reading)

Permalink | Reply | 9 comments |
headers
Simon Josefsson | 5 Apr 2006 10:28

Re: Kerberos V5 over TLS and draft-josefsson-krb-tcp-expansion.txt

Jeffrey Hutzelman <jhutz <at> cmu.edu> writes:

> On Wednesday, April 05, 2006 02:35:22 AM +0200 Simon Josefsson
> <jas <at> extundo.com> wrote:
>> I believe the document is ready.  Giving people time to review it
>> until right before (or after?) the next meeting seem fair.  July 06
>> then?
>
> Well, when we believe there are no outstanding issues and the document
> is in shape to be published, we can do a 2-week working group last
> call. Since the majority of IETF work is done on the mailing lists
> rather than in face-to-face meetings, it's not necessary to wait for a
> meeting to move something forward.
>
> However, I can't last-call a document until it is formally a WG work
> item, and I won't when there are known outstanding issues.

Ok.  I'll try to resolve all the issues and publish a new revision.

>> I also think that part can wait.  It is not as critical as the
>> expansion mechanism.  If my current TLS expansion is flawed, it is
>> simple to allocate another expansion hole for it, for the solution
>> that the WG decides on.
>
> I haven't read the latest version of your tcp-expansion document yet.
> What assignment policy are you proposing for the extension numbers?

   Decimal         Meaning                             Reference
   -------         -------                             ---------
   0               RESERVED.                           RFC XXXX
(Continue reading)

Permalink | Reply | 2 comments |

Gmane