[secdir] Re-review of draft-lha-gssapi-delegate-policy-04
"Hilarie Orman" <ho@alum.mit.edu> Sat, 27 February 2010 23:55 UTC
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0F823A76C6; Sat, 27 Feb 2010 15:55:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Qj1uE+rsD0B; Sat, 27 Feb 2010 15:55:22 -0800 (PST)
Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232]) by core3.amsl.com (Postfix) with ESMTP id 142E63A7655; Sat, 27 Feb 2010 15:55:22 -0800 (PST)
Received: from mx02.mta.xmission.com ([166.70.13.212]) by out02.mta.xmission.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <hilarie@purplestreak.com>) id 1NlWVE-00025k-P5; Sat, 27 Feb 2010 16:55:20 -0700
Received: from 166-70-57-249.ip.xmission.com ([166.70.57.249] helo=fermat.rhmr.com) by mx02.mta.xmission.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <hilarie@purplestreak.com>) id 1NlWVC-0002W1-IA; Sat, 27 Feb 2010 16:55:20 -0700
Received: from fermat.rhmr.com (localhost [127.0.0.1]) by fermat.rhmr.com (8.14.3/8.14.3/Debian-9ubuntu1) with ESMTP id o1RNs4RS021730; Sat, 27 Feb 2010 16:54:04 -0700
Received: (from ho@localhost) by fermat.rhmr.com (8.14.3/8.14.3/Submit) id o1RNs3J9021727; Sat, 27 Feb 2010 16:54:03 -0700
Date: Sat, 27 Feb 2010 16:54:03 -0700
Message-Id: <201002272354.o1RNs3J9021727@fermat.rhmr.com>
X-Authentication-Warning: fermat.rhmr.com: ho set sender to hilarie using -f
From: Hilarie Orman <ho@alum.mit.edu>
To: secdir@ietf.org, iesg@ietf.org
X-XM-SPF: eid=; ; ; mid=; ; ; hst=mx02.mta.xmission.com; ; ; ip=166.70.57.249; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-DomainKey: sender_domain=alum.mit.edu; ; ; sender=ho@alum.mit.edu; ; ; status=error
X-SA-Exim-Connect-IP: 166.70.57.249
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa05 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: ;secdir@ietf.org, iesg@ietf.org
X-Spam-Relay-Country:
X-SA-Exim-Version: 4.2.1 (built Thu, 25 Oct 2007 00:26:12 +0000)
X-SA-Exim-Scanned: Yes (on mx02.mta.xmission.com)
Cc: hartmans-ietf@mit.edu, lha@apple.com
Subject: [secdir] Re-review of draft-lha-gssapi-delegate-policy-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Hilarie Orman <ho@alum.mit.edu>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Feb 2010 23:55:23 -0000
The draft, including typos, is unchanged since my review 3 months ago.
Hilarie
------------
Do not be alarmed. I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG. These comments were written primarily for
the benefit of the security area directors. Document editors and WG
chairs should treat these comments just like any other last call
comments.
The document describes an augmentation of the semantics of the GSSAPI
service delegation policy. It allows a client to ask a central server
if there is a policy allowing delegation of the service.
This is a something of a policy band-aid. The API currently supports
only unconditional delegation. This change allows a client to learn
if the local policy supports it. The decision might involve a
tier of Kerberos inter-realm servers, and the API is charged
with enforcing the policy of assuring that all tickets agree
that delegation is permitted.
The change is minimal, involving no over-the-wire changes, but I
imagine it is only part of the tip of a policy iceberg. If clients
are to make policy decisions about something as complex as delegation,
ultimately they will need more specific information, I would imagine.
The security of the mechanism depends on how wise the administrators
are when configuring the delegation policy, but the clients have
no insight into how the decision was reached.
I recommend that the security considerations section make some comment
about why a client would or would not make use of this new mechanism.
Perhaps it should be avoided for security-critical services ("don't
delegate, even if it is allowed")? Or should it always be used?
Section 2. Typo --- "to allow and administrator" should be "to allow
an administrator"
Section 4. Grammar --- "If the initiator set both ... " should be
"sets". Last paragraph "the the" should be "to the". "There state"
should be "their state".
Section 5. Grammar.
When the initiator uses deleg_policy_req_flag, the GSS-API
Kerberos mechanism, in addition to the service tickets' OK-AS-
DELEGATE flag, the MUST examine all cross realm tickets in the
traversal from the user's initial ticket-granting-ticket (TGT) to the
service ticket.
Suggested rewording
If the initiator sets the deleg_policy_req_flag, the GSS-API
Kerberos mechanism MUST examine the OK-AS-DELEGATE flag in the
service ticket, and it MUST examine all cross realm tickets in the
traversal from the user's initial ticket-granting-ticket (TGT) to
the service ticket.
Section 7.
Failure to specify deleg_policy_req_flag on the part of the client
can at worst result in NOT delegating credentials -- fails closed, a
desirable security property.
Suggested rewording.
A client's failure to specify deleg_policy_req_flag
can at worst result in NOT delegating credentials. This means
that the client does not expand its trust, which is generally safer
than the alternative.
- [secdir] Re-review of draft-lha-gssapi-delegate-p… Hilarie Orman