IETF Logo Mail Archive

Re: [Ietf-krb-wg] I-D Action:draft-sorce-krbwg-general-pac-00.txt

Simo Sorce <ssorce@redhat.com> Mon, 11 October 2010 20:57 UTC

Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B89C73A6B85 for <ietfarch-krb-wg-archive@core3.amsl.com>; Mon, 11 Oct 2010 13:57:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.58
X-Spam-Level:
X-Spam-Status: No, score=-106.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6PGOs67MR5jy for <ietfarch-krb-wg-archive@core3.amsl.com>; Mon, 11 Oct 2010 13:57:14 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id E19C93A6B83 for <krb-wg-archive@lists.ietf.org>; Mon, 11 Oct 2010 13:57:14 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 92A5325; Mon, 11 Oct 2010 15:58:27 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 60A4144; Mon, 11 Oct 2010 15:58:27 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 2BF7980031; Mon, 11 Oct 2010 15:58:27 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id CFBE08002F for <ietf-krb-wg@lists.anl.gov>; Mon, 11 Oct 2010 15:58:25 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix) id CA4AD3C; Mon, 11 Oct 2010 15:58:25 -0500 (CDT)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id C5B983F for <ietf-krb-wg@anl.gov>; Mon, 11 Oct 2010 15:58:25 -0500 (CDT)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id BF89F3C for <ietf-krb-wg@anl.gov>; Mon, 11 Oct 2010 15:58:25 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id A8A657CC05E; Mon, 11 Oct 2010 15:58:25 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31599-09-2; Mon, 11 Oct 2010 15:58:25 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 7E3C57CC06B for <ietf-krb-wg@anl.gov>; Mon, 11 Oct 2010 15:58:25 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AoMAADcXs0zRhLcckWdsb2JhbACiDhUBAQIJCwoHEQYcxE+FSAQ
X-IronPort-AV: E=Sophos;i="4.57,316,1283749200"; d="scan'208";a="48772194"
Received: from mx1.redhat.com ([209.132.183.28]) by mailgateway.anl.gov with ESMTP; 11 Oct 2010 15:58:25 -0500
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o9BKwON7011206 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 11 Oct 2010 16:58:24 -0400
Received: from willson.li.ssimo.org (pilototp-int.redhat.com [10.11.232.41]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o9BKwO53021505; Mon, 11 Oct 2010 16:58:24 -0400
Date: Mon, 11 Oct 2010 16:58:22 -0400
From: Simo Sorce <ssorce@redhat.com>
To: Luke Howard <lukeh@padl.com>
Message-ID: <20101011165822.31b03dab@willson.li.ssimo.org>
In-Reply-To: <BDC36CB6-7A5A-4DE3-82F4-CC632439D157@padl.com>
References: <20101007190001.C756E3A6F57@core3.amsl.com> <000001cb6655$64065120$2c12f360$@hardjono.net> <20101007203921.GZ9501@oracle.com> <20101007164355.23459584@willson.li.ssimo.org> <20101007234612.GG9501@oracle.com> <4214564D-8EBD-40F5-B0A4-E3E130F0F002@jpl.nasa.gov> <20101008031941.GK9501@oracle.com> <DCE6A7CD-CE6D-49AE-BC3F-DBAD49156531@jpl.nasa.gov> <20101011174535.GD989@oracle.com> <47416562-10C3-4AB3-816C-DC9B2E758B0B@jpl.nasa.gov> <20101011184111.GF989@oracle.com> <7210DC8F-C7ED-4BA0-A78C-440EAD527375@jpl.nasa.gov> <BDC36CB6-7A5A-4DE3-82F4-CC632439D157@padl.com>
Organization: Red Hat, Inc.
Mime-Version: 1.0
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: "ietf-krb-wg@anl.gov" <ietf-krb-wg@anl.gov>
Subject: Re: [Ietf-krb-wg] I-D Action:draft-sorce-krbwg-general-pac-00.txt
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov

On Mon, 11 Oct 2010 21:27:21 +0200
Luke Howard <lukeh@padl.com> wrote:

> > The client can see how big the authorization data field is if
> > nothing else.  For this scenario, I'm not proposing the client
> > cares unless a service tells it to care.
> 
> The client can see how big the ticket is, that's it; it might be
> dangerous to make assumptions on the contents based on size.
> 
> >> The service has not way to tell the client that it needs a new
> >> ticket, except maybe by returning KRB_AP_ERR_BAD_INTEGRITY.  But
> >> for at least some important protocols (e.g., SSHv2 with gss keyex)
> >> this is not a retriable error, and the user will notice.
> > 
> > Agree that this requires new functionality and probably updates to
> > standards.  Makes this scenario ugly and unattractive IMO.
> 
> Better for the server to acquire a PAC-ful ticket using S4U2Self, if
> it needs one (as Simo points out, this requires bidirectional trust).

bidirectional trust is not only what is required it requires also that
the KDC trusts the service to impersonate the user to some degree,
which you may or may not want to allow on all services.
Granted, this is not S4U2Proxy, but still...

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

v2.23.0 | Report a Bug | By Email