Richards, Gareth | 1 Feb 10:31 2008
Picon

Re: review of draft-ietf-krb-wg-otp-preauth-02.txt

> > Is the byte values of the UTF-8 encoding of the KDC's 
> principal name.
> > Would this clear that up.
> 
> UTF8 alone does not guarantee a unique encoding, think of 
> normalization rules in unicode. It would be a lot easier to 
> say you hash over the DER encoding of the ANS.1 type as it 
> appears in the AS-REQ message. This allows you get around the 
> messy I18N issues in Kerberos. Take a look at RFc4556 and pay 
> attention to the language used in the description of the KDF.
> 

I have been trying to design the system so that the OTP server can be
independent of any protocol details of its client since the interface to
retrieve the hashed OTP values could be used by other authentication
servers. I have therefore been trying to avoid involving any Kerberos
knowledge in the generation of the hash.  

The client and the OTP server need to be configured with the same value
of sname so that they can generate the same hash values.  In theory, it
doesn't really matter what this value is as long as it is unique to the
KDC and so I suppose the DER encoding of the PrincipalName from the
AS-REQ could be used but so could something like the KDC's IP address or
FQDN or any string value that the client has been configured with.

> > The intention was the proposal would not alter the way that 
> > string-to-key functions but have the paramaters either be 
> the default 
> > of the cipher suite or those given by the sk2params of the 
> PA-ETYPE-INFO2.
(Continue reading)

Internet-Drafts | 7 Feb 11:45 2008
Picon

I-D Action:draft-ietf-krb-wg-kdc-model-01.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Kerberos Working Group of the IETF.

	Title           : An information model for Kerberos version 5
	Author(s)       : L. Johasson
	Filename        : draft-ietf-krb-wg-kdc-model-01.txt
	Pages           : 18
	Date            : 2008-02-06

This document describes an information model for Kerberos version 5
from the point of view of an administrative service.  There is no
standard for administrating a kerberos 5 KDC.  This document
describes the services exposed by an administrative interface to a
KDC.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kdc-model-01.txt

To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request <at> ietf.org with the word unsubscribe in the body of 
the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.

Internet-Drafts are also available by anonymous FTP. Login with the 
username "anonymous" and a password of your e-mail address. After 
logging in, type "cd internet-drafts" and then
	"get draft-ietf-krb-wg-kdc-model-01.txt".

A list of Internet-Drafts directories can be found in
(Continue reading)

Jeffrey Hutzelman | 8 Feb 00:31 2008
Picon

WG Last Call: draft-ietf-krb-wg-kdc-model-01.txt

This note announces the start of a two-week last call within the Kerberos
Working Group on whether to send the following document to the IESG:

Title:           An information model for Kerberos version 5
Filename:        draft-ietf-krb-wg-kdc-model-01.txt
Intended Status: Proposed Standard

   This document describes an information model for Kerberos version 5
   from the point of view of an administrative service.  There is no
   standard for administrating a kerberos 5 KDC.  This document
   describes the services exposed by an administrative interface to a
   KDC.

This last call will expire at 23:59 EDT on Feb 21, 2008.

Please review this document and send any comments to the Kerberos Working
Group mailing list, <ietf-krb-wg <at> anl.gov>, by that date.  The file can be
obtained via

http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kdc-model-01.txt

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ <at> cmu.edu>
   Chair, IETF Kerberos Working Group
   Carnegie Mellon University - Pittsburgh, PA

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

(Continue reading)

Henry B. Hotz | 8 Feb 03:54 2008
Picon
Picon

Re: WG Last Call: draft-ietf-krb-wg-kdc-model-01.txt


On Feb 7, 2008, at 3:31 PM, Jeffrey Hutzelman wrote:

> This note announces the start of a two-week last call within the  
> Kerberos
> Working Group on whether to send the following document to the IESG:
>
> Title:           An information model for Kerberos version 5
> Filename:        draft-ietf-krb-wg-kdc-model-01.txt
> Intended Status: Proposed Standard
>
>    This document describes an information model for Kerberos version 5
>    from the point of view of an administrative service.  There is no
>    standard for administrating a kerberos 5 KDC.  This document
>    describes the services exposed by an administrative interface to a
>    KDC.

I would say that the document describes information that is a  
necessary prerequisite for defining interoperability of a Kerberos  
administration interface.  I'm less certain what it defines is  
sufficient, but I do not see any problems with the information  
model.  I hope other people are thinking about this.

Section 2, paragraph 1 says this document "... describes the services  
required to ...".  I only see an information model, and nothing about  
the operations on that information that should be supported.   
Probably should just restate the scope to match the actual content,  
since I assume specifying the operations is to be done elsewhere.

Section 7.3 generically mentions SOAP.  That's OK, but I would think  
(Continue reading)

KAMADA Ken'ichi | 13 Feb 08:31 2008

An approach for cross-realm issues

Hi,

I'm working on a proposal that solves some of the issues
identified in the cross-realm problem statement
(draft-ietf-krb-wg-cross-problem-statement-02).
The draft is draft-kamada-krb-client-friendly-cross-03.

I'd like to start to evaluate approaches to the cross-realm issues.
This draft describes one of them.  I would be glad if I can talk
about it at IETF-71.

The main focus of the draft is to solve the client performance issue,
but it also solves some of other issues in the problem statement.
The proposed mechanism in the draft reduces client's workload by
1) moving the task from clients to the KDC, and
2) caching the result of multi-hop traversal by the KDC
   so that it can be used for multiple clients.

Related to this work, I want to let PKCROSS be resumed.
If there are not enough hands, I'd volunteer to edit it.
I've been implementing it on Heimdal and basic stuff is
working now, and I think I can feedback some findings to the spec.

If you are interested, I appreciate your comments.
I'd also like to hear your opinions whether this is a work
that the WG will want to pick up.

Thanks,
--

-- 
KAMADA Ken'ichi
(Continue reading)

Internet-Drafts | 14 Feb 15:30 2008
Picon

I-D Action:draft-ietf-krb-wg-otp-preauth-03.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Kerberos Working Group of the IETF.

	Title           : OTP Pre-authentication
	Author(s)       : G. Richards
	Filename        : draft-ietf-krb-wg-otp-preauth-03.txt
	Pages           : 33
	Date            : 2008-02-14

The Kerberos protocol provides a framework authenticating a client
using the exchange of pre-authentication data.  This document
describes the use of this framework to carry out One Time Password
(OTP) authentication.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-otp-preauth-03.txt

To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request <at> ietf.org with the word unsubscribe in the body of 
the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.

Internet-Drafts are also available by anonymous FTP. Login with the 
username "anonymous" and a password of your e-mail address. After 
logging in, type "cd internet-drafts" and then
	"get draft-ietf-krb-wg-otp-preauth-03.txt".

A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
(Continue reading)

Richards, Gareth | 14 Feb 15:32 2008
Picon

FW: New Version Notification for draft-ietf-krb-wg-otp-preauth-03

I have just submitted an updated to the OTP pre-authentication ID that
should hopefully cover the issues discussed a couple of weeks ago.

1. Extended several sections to contain more detail on how various
attributes are set in the PA-OTP-REQUEST and PA-OTP-CHALLENGE

2. Corrected the error where etypes and otp-length were INETGERS rather
than INT32

3. Changed the sname used in the hash algorithm in section 3.6 to be the
UTF8 encoded FQDN of the KDC.  If the DN is an IDN then the output of
nameprep as described in RFC3490

4. Added informational references to RFC2808 and RFC4226 as examples of
OTP mechanisms that the system supports and made RFC2289 as mandatory to
implement.

5. Clarified the use of the "initial" flag in the PIN change process in
section 2.3

6. Added example exchanges in a new Appendix B.

I have also added a new "combine" flag following a discussion off list
that controls whether the challenge in a challenge response OTP is
combined with the current token state.  This brings the OTP mechanism in
line with the POTP EAP OTP mechanism in RFC4793.

--Gareth

-----Original Message-----
(Continue reading)

The IESG | 22 Feb 20:35 2008
Picon

Last Call: draft-ietf-krb-wg-anon (Anonymity Support for Kerberos) to Proposed Standard

The IESG has received a request from the Kerberos WG (krb-wg) to consider

the following document:

- 'Anonymity Support for Kerberos '
   <draft-ietf-krb-wg-anon-05.txt> as a Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  Please send substantive comments to the
ietf <at> ietf.org mailing lists by 2008-03-07. Exceptionally, 
comments may be sent to iesg <at> ietf.org instead. In either case, please 
retain the beginning of the Subject line to allow automated sorting.

The file can be obtained via
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-anon-05.txt

IESG discussion can be tracked via
https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=14763&rfc_flag=0

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

The IESG | 22 Feb 20:36 2008
Picon

Last Call: draft-ietf-krb-wg-naming (Additional Kerberos Naming Constraints) to Proposed Standard

The IESG has received a request from the Kerberos WG (krb-wg) to 
consider the following document:

- 'Additional Kerberos Naming Constraints '
   <draft-ietf-krb-wg-naming-04.txt> as a Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  Please send substantive comments to the
ietf <at> ietf.org mailing lists by 2008-03-07. Exceptionally, 
comments may be sent to iesg <at> ietf.org instead. In either case, please 
retain the beginning of the Subject line to allow automated sorting.

The file can be obtained via
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-naming-04.txt

IESG discussion can be tracked via
https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=14767&rfc_flag=0

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

The IESG | 22 Feb 20:39 2008
Picon

Last Call: draft-zhu-pkinit-ecc (ECC Support for PKINIT) to Informational RFC

The IESG has received a request from the Kerberos WG (krb-wg) to 
consider the following document:

- 'ECC Support for PKINIT '
   <draft-zhu-pkinit-ecc-04.txt> as an Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  Please send substantive comments to the
ietf <at> ietf.org mailing lists by 2008-03-07. Exceptionally, 
comments may be sent to iesg <at> ietf.org instead. In either case, please 
retain the beginning of the Subject line to allow automated sorting.

The file can be obtained via
http://www.ietf.org/internet-drafts/draft-zhu-pkinit-ecc-04.txt

IESG discussion can be tracked via
https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=13663&rfc_flag=0

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg


Gmane