IETF Logo Mail Archive

[kitten] CAMMAC-05: Verifier-MAC etc

Zhanna Tsitkov <tsitkova@MIT.EDU> Tue, 16 July 2013 20:30 UTC

Return-Path: <tsitkova@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F33121F9E98 for <kitten@ietfa.amsl.com>; Tue, 16 Jul 2013 13:30:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fx07umWORGDz for <kitten@ietfa.amsl.com>; Tue, 16 Jul 2013 13:30:13 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) by ietfa.amsl.com (Postfix) with ESMTP id 6512221F9ED4 for <kitten@ietf.org>; Tue, 16 Jul 2013 13:30:10 -0700 (PDT)
X-AuditID: 1209190c-b7fa48e000000947-4e-51e5ad5183e8
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 62.61.02375.15DA5E15; Tue, 16 Jul 2013 16:30:09 -0400 (EDT)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id r6GKU8I7013253 for <kitten@ietf.org>; Tue, 16 Jul 2013 16:30:09 -0400
Received: from OC11EXEDGE4.EXCHANGE.MIT.EDU (oc11exedge4.exchange.mit.edu [18.9.3.27]) by outgoing-exchange-1.mit.edu (8.13.8/8.12.4) with ESMTP id r6GKU7kg019877 for <kitten@ietf.org>; Tue, 16 Jul 2013 16:30:08 -0400
Received: from W92EXHUB15.exchange.mit.edu (18.7.73.26) by OC11EXEDGE4.EXCHANGE.MIT.EDU (18.9.3.27) with Microsoft SMTP Server (TLS) id 14.2.309.2; Tue, 16 Jul 2013 16:30:07 -0400
Received: from OC11EXPO25.exchange.mit.edu ([169.254.1.78]) by W92EXHUB15.exchange.mit.edu ([18.7.73.26]) with mapi id 14.02.0309.002; Tue, 16 Jul 2013 16:30:07 -0400
From: Zhanna Tsitkov <tsitkova@MIT.EDU>
To: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: CAMMAC-05: Verifier-MAC etc
Thread-Index: AQHOgmNC8S9ILC/XQUOa6u9LpBI31w==
Date: Tue, 16 Jul 2013 20:30:06 +0000
Message-ID: <6EC63FD16C85D746815D7AB1380FCB8A335729C3@OC11EXPO25.exchange.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [18.111.100.19]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <1FE0B04EDBBD3547848BB0606D31D2B7@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrFKsWRmVeSWpSXmKPExsUixG6nohu49mmgwaUfuhZHN69icWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxpvF05kKOngq1i58ydjAeJKzi5GTQ0LAROLo7plsELaYxIV7 68FsIYF9jBLNDTZdjFxA9jVGid1ffzBBJO4ySmzuKYNIbGeU2Dp/CwuEs4pRomFpH3MXIwcH m4C6xNIHmSANIkDm3kNTWUBsZgFViS9dn5hBbGEg+86jpSwQNVoSKydsZoSw9SReLXkOVsMC VLP7yX92EJtXIEji3Iv/YHFGoEu/n1rDBDFTXOLWk/lMEB8ISiyavYcZ5pt/ux5CfaYo8f/q b0aIegOJ9+fmM0PY9hJft0+BmqMtsWzha2aIXYISJ2c+YZnAKDELyYpZSNpnIWmfhaR9FpL2 BYysqxhlU3KrdHMTM3OKU5N1i5MT8/JSi3QN9XIzS/RSU0o3MYKikFOSZwfjm4NKhxgFOBiV eHgnhD0NFGJNLCuuzD3EKMnBpCTK+34FUIgvKT+lMiOxOCO+qDQntfgQowQHs5IIr99UoBxv SmJlVWpRPkxKmoNFSZz36dOzgUIC6YklqdmpqQWpRTBZGQ4OJQne+jVAjYJFqempFWmZOSUI aSYOTpDhPEDDW0BqeIsLEnOLM9Mh8qcYFaXEeReCJARAEhmleXC9sCT5ilEc6BVh3ukgVTzA BAvX/QpoMBPQ4ObZj0EGlyQipKQaGPk2PebNrNFf8728rdlBbgn71uYmVZmtLoZVHK1HutS+ mm7fFW7XeM7UKPz2kUvCM80b/X/vjs5S233js5LD+2bZ735fpdNcO91VOMqPOmme3JFz4JDi VPuArydXnTuj8KRhpfnS+wqXT8xi7P3zQPxyycRXTyc/9fI70V4auSL57Npti3eW71JiKc5I NNRiLipOBACxjK1AbQMAAA==
Cc: Zhanna Tsitkov <tsitkova@mit.edu>
Subject: [kitten] CAMMAC-05: Verifier-MAC etc
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 20:30:20 -0000

Couple comments on CAMMAC rev5 draft.

1.  Verifier-MAC is defined as a sequence of an optional principal name and  required fields  kvno, enctype and a checksum.  It seems that in some cases providing both kvno and enctype might be redundant and even unnecessary.  (For example, in some cases enctype can be deduced from kvno, while svc-verifier may not need them at all.)  So, it might be a good idea to make either both these fields (kvno and enctype) "optional", or, at least, mark enctype as an  "optional" field.   

The following comments are mostly about text clarity:

2. In section 3 "Validation" the third paragraph starts with "The following information is needed:" and then lists "The KDC  MAC" , "The Service MAC" etc.  This text is followed by the statement "The KDC MAC is required to allow KDC to validate …"  The question that stays unanswered is what is  "The KDC  MAC" , "The Service MAC"?  What mac they are of? 

3. When giving details on AD-CAMMAC-BINDING (section 4.1) at the end of the paragraph one mentions S4U2proxy scenario.  It might be a good idea to move this text closer to the Introduction or, even, have a separate "Use Cases" section for potential use of AD-CAMMAC.

4. . In "Security Consideration" section the text "protected by the existing encryption methods on the ticket" implies that there are  multiple enc methods on one ticket.  Something simple like  "encryption method on the ticket" or similar would do a job.

Thanks,
Zhanna

v2.23.0 | Report a Bug | By Email