IETF Logo Mail Archive

[kitten] draft-ietf-kitten-kerberos-iana-registries -- KerberosFlags limited to 0..31?

Rick van Rein <rick@openfortress.nl> Mon, 21 July 2014 09:04 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D100B1B2B63 for <kitten@ietfa.amsl.com>; Mon, 21 Jul 2014 02:04:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.093
X-Spam-Level: **
X-Spam-Status: No, score=2.093 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kiPZ9ZAq0hI6 for <kitten@ietfa.amsl.com>; Mon, 21 Jul 2014 02:04:02 -0700 (PDT)
Received: from smtp-vbr2.xs4all.nl (smtp-vbr2.xs4all.nl [194.109.24.22]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C362C1B2A46 for <kitten@ietf.org>; Mon, 21 Jul 2014 02:04:01 -0700 (PDT)
Received: from [10.0.1.225] (phantom.vanrein.org [83.161.146.46]) (authenticated bits=0) by smtp-vbr2.xs4all.nl (8.13.8/8.13.8) with ESMTP id s6L93tUm093348 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 21 Jul 2014 11:03:57 +0200 (CEST) (envelope-from rick@openfortress.nl)
From: Rick van Rein <rick@openfortress.nl>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 21 Jul 2014 11:03:55 +0200
To: tlyu@mit.edu, kitten@ietf.org
Message-Id: <93975EF5-D151-417E-8043-6B54D36FD9DC@openfortress.nl>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
X-Virus-Scanned: by XS4ALL Virus Scanner
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/yqV5stI91cl9P4ABaWlsAj-3IK4
Subject: [kitten] draft-ietf-kitten-kerberos-iana-registries -- KerberosFlags limited to 0..31?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 09:04:04 -0000

Hello Tom Yu / Kitten,

I was surprised to learn that draft-ietf-kitten-kerberos-iana-registries-03 defines

> 6.1.  AP-REQ options
> 
>    Registry name:      AP-REQ options
>    Assignment policy:  Standards action
>    Valid values:       ASN.1 bit numbers 0 through 31
> 
> 6.2.  KDC-REQ options
> 
>    Registry name:      KDC-REQ options
>    Assignment policy:  Standards action
>    Valid values:       ASN.1 bit numbers 0 through 31
> 
> 6.3.  Ticket flags
> 
>    Registry name:      Ticket flags
>    Assignment policy:  Standards action
>    Valid values:       ASN.1 bit numbers 0 through 31

These are all instances of the KerberosFlags type.

I’m not sure that a maximum of 32 bits is required, or desirable, for that type.

RFC 4120 specifies in section 5.2.8 “KerberosFlags” that

>    KerberosFlags   ::= BIT STRING (SIZE (32..MAX))
>                        -- minimum number of bits shall be sent,
>                        -- but no fewer than 32

and

>    Most existing implementations of Kerberos unconditionally send 32
>    bits on the wire when encoding bit strings used as boolean vectors.
>    This behavior violates the ASN.1 syntax used for flag values in RFC
>    1510, but it occurs on such a widely installed base that the protocol
>    description is being modified to accommodate it.
> 
>    Consequently, this document removes the "NamedBit" notations for
>    individual bits, relegating them to comments.  The size constraint on
>    the KerberosFlags type requires that at least 32 bits be encoded at
>    all times, though a lenient implementation MAY choose to accept fewer
>    than 32 bits and to treat the missing bits as set to zero.
> 
>    Currently, no uses of KerberosFlags specify more than 32 bits' worth
>    of flags, although future revisions of this document may do so.  When
>    more than 32 bits are to be transmitted in a KerberosFlags value,
>    future revisions to this document will likely specify that the
>    smallest number of bits needed to encode the highest-numbered one-
>    valued bit should be sent.  This is somewhat similar to the DER
>    encoding of a bit string that is declared with the "NamedBit"
>    notation.


I see nothing here that constrains the number of bits, and I cannot think of any real problems as a result of encoding more bits; not even when a lot of zero bits are included at the high end; for instance, to send 64 bits to be able to include 35 bits worth of flags.  (And if problems arose with existing implementations, then these would constitute an error in the ASN.1 encoding used, and these implementations would need a bug fix.)

I would therefore like to argue that it is not necessary to constrain the "Ticket flags” registry to 32 bits, and that it may be helpful in the future to prepare for longer BITSTRINGs.


I hope this is a useful addition.

Cheers,
 -Rick

v2.23.0 | Report a Bug | By Email