[01:47:13] --- jas has joined
[02:08:05] --- jas has left
[08:58:33] --- jhutz has joined
[09:14:36] --- Jeffrey Altman has joined
[09:20:44] <Jeffrey Altman> I have not seen an announcement to the krb-wg mailing list summarizing the audio stream and presentation information. Could one be sent?
[09:20:55] * Jeffrey Altman has changed the subject to: Kerberos Working Group at IETF 65
[09:27:40] <Jeffrey Altman> Audio stream info available at http://videolab.uoregon.edu/events/ietf/
[09:56:09] --- raeburn@jis.mit.edu has joined
[09:56:45] <Jeffrey Altman> would someone please test the microphone
[09:57:18] <raeburn@jis.mit.edu> just did...
[09:57:38] <Jeffrey Altman> apparently the audio server is no longer accessible
[09:59:11] <raeburn@jis.mit.edu> oops
[09:59:15] <Jeffrey Altman> looks like I am going to be sad
[10:00:02] <Jeffrey Altman> the test stream with classical music is working fine but the rooms are not
[10:00:44] --- hartmans has joined
[10:02:11] <raeburn@jis.mit.edu> The web page indicates contact addresses...
[10:02:19] --- djfrett has joined
[10:02:19] --- djfrett has left: Lost connection
[10:02:54] --- lha has joined
[10:03:15] --- jhutz has left: Disconnected
[10:03:20] <hartmans> They have been having network issues.
[10:03:24] --- leifj has joined
[10:03:26] <hartmans> Something about th eflooding.
[10:03:40] <hartmans> The IESG breakfast room is still flooded
[10:04:06] --- raeburn@jis.mit.edu has left
[10:04:21] --- Ken Raeburn has joined
[10:04:57] <Jeffrey Altman> I will be counting on good scribes then
[10:10:40] <lha> we have not started yet
[10:10:44] <hartmans> The room is very sparsely populated this morning.
[10:12:36] --- tlyu has joined
[10:14:00] --- LOGGING STARTED
[10:14:06] --- jhutz has joined
[10:14:28] --- nico has joined
[10:14:34] <jhutz> Information about the audio and jabber is on the WG web page http://grand.central.org/krb-wg/
[10:14:39] <jhutz> Is the audio working yet?
[10:15:39] <nico> 'lo
[10:17:07] <jhutz> whee!
[10:17:23] --- warlord has joined
[10:17:23] <nico> test
[10:17:26] --- lha has joined
[10:17:50] --- Jeffrey Altman has joined
[10:17:55] --- nov has joined
[10:18:27] <nico> grrr, I can't join apparea
[10:19:00] <Jeffrey Altman> audio is not working yet
[10:19:34] --- nico has left
[10:20:25] --- raeburn has joined
[10:20:36] --- nico has joined
[10:20:49] * nico is scribing
[10:20:55] <nico> doc status
[10:20:59] --- hartmans has joined
[10:21:06] <nico> the slide is old
[10:21:21] <nico> PKINIT is in the RFC Editor's queue
[10:21:30] <nico> similarly for enctype nego
[10:21:41] <nico> and ocsp for pkinit
[10:21:50] <nico> several outstanding thin gs
[10:21:54] <nico> ECC for PKINIT
[10:22:05] <nico> passed last call
[10:22:08] <nico> WGLC
[10:22:19] <nico> we may need to hold off
[10:22:25] <nico> anonymity work
[10:22:30] <nico> set passwd
[10:22:32] <nico> extensions
[10:22:39] <nico> is Simon here?
[10:22:54] <nico> we probably won't talk about his TLS thing
[10:23:05] <nico> agenda bashing (should have come first)
[10:23:11] <nico> see slide
[10:23:21] <nico> order will change
[10:23:26] <nico> anonymity first
[10:23:31] <nico> direction?
[10:23:53] <nico> interest in doing work is there, what path? need a conclusion
[10:24:09] <nico> if Larry's path there's at least one issue to discuss
[10:24:48] --- tanupoo has joined
[10:25:41] <jhutz> lalala
[10:27:19] --- lha has left: Replaced by new connection
[10:27:21] --- raeburn has left: Replaced by new connection
[10:27:51] --- nov has left: Replaced by new connection
[10:27:59] --- tlyu has joined
[10:28:05] --- leifj has joined
[10:28:07] --- nico has left: Replaced by new connection
[10:28:42] --- bcneuman has joined
[10:28:51] <hartmans> Test.
[10:28:52] --- nico has joined
[10:29:09] * nico is back
[10:29:19] <nico> we've been talking about alg. agility
[10:30:47] <nico> the krb5 GSS mech uses MD5 for channel bindings
[10:30:59] <bcneuman> The Audio is working for me.
[10:31:25] <Jeffrey Altman> I'm not getting a connection to the audio server yet
[10:31:56] <Jeffrey Altman> there we go. I have audio
[10:32:30] <nico> we really need to move away from MD5 for that -- we have an extensibility hole in the mech...
[10:32:59] <Jeffrey Altman> I have read larry's draft
[10:33:05] <Jeffrey Altman> but I just lost audio
[10:33:32] <nico> ....
[10:33:40] --- jas has joined
[10:35:01] <Jeffrey Altman> The W3C is looking for an anonymous solution for third party authentication.
[10:35:23] --- tlyu has left: Logged out
[10:35:24] --- nov has joined
[10:35:53] <hartmans> No, I was talking about identity hiding at the transport level; Larry's draft came before my talk.
[10:35:53] <hartmans> Test
[10:35:54] <Jeffrey Altman> they want to be able to ensure that if AOL has a contract with a third party to provide a service to all AOL users, they want the third party to be able to authenticate the user as "user from AOL" and not as the individual user
[10:36:12] --- tlyu has joined
[10:36:35] <leifj> not dissimilar to the problems solved by many sk identity federation protocols based on saml
[10:36:40] --- pbh has joined
[10:37:26] <nico> no scribing
[10:37:53] <Jeffrey Altman> exactly
[10:37:55] --- raeburn has joined
[10:38:19] <nico> the network sucks
[10:38:20] <Jeffrey Altman> We need to have a solution in this space and I believe that larry's draft is a step in the right direction
[10:38:25] <nico> ok, the network seems to be back
[10:38:29] <Jeffrey Altman> (love please speak up)
[10:38:33] <leifj> he has
[10:38:37] <leifj> in support
[10:39:11] <leifj> lha: I don't agree with everything but it is the right direction
[10:40:30] <leifj> larry is summarizing draft
[10:41:02] --- masahiro has joined
[10:41:21] --- nov has left: Replaced by new connection
[10:41:25] --- Ken Raeburn has joined
[10:41:27] --- nov has joined
[10:41:35] <Jeffrey Altman> it was better before
[10:42:13] --- raeburn has left
[10:42:14] <jhutz> is audio working again?
[10:43:25] <hartmans> Note that I think the name used here is wrong.
[10:43:36] <nico> technical discussion of how the protocol (anonymity) works
[10:43:44] <hartmans> In particular, I don' think the empty realm is valid.
[10:44:20] <leifj> why?
[10:44:58] <jhutz> Well, it's valid if we say it is, but I think existing implementations might not be happy about it.
[10:45:13] <jhutz> But that's the sort of issue we can work on, if we adopt the draft
[10:45:19] <leifj> ah, I see
[10:46:00] <leifj> I thought sam had architectural, rather than deployment-related issues
[10:47:14] <tlyu> i think A/N/O/N/Y/M/O/U/S might be less likely to be deployed than a three-component principal
[10:48:27] <nico> valid realm names are useful anyways
[10:48:27] <nico> heh
[10:48:57] <pbh> I couldn't hear any hums in response to either question.
[10:49:18] <nico> there were hums on the yes
[10:49:21] <nico> none on the no
[10:49:26] <leifj> people didn't hum at the mic
[10:51:07] <nico> they never do...
[10:51:11] <nico> :)
[10:51:42] --- sc has joined
[10:53:05] <pbh> audio just dropped?
[10:53:25] <Jeffrey Altman> I still have audio
[10:53:42] <bcneuman> I have had no problems with audio at all since I connected. I think the problems may be more local to some of the other listeners.
[10:54:13] <pbh> Thanks, I have it back.
[10:55:44] <Jeffrey Altman> I think the "ANONYMOUS:" name is a good solution
[10:56:19] <hartmans> I agree anonymous: works
[10:58:29] <Jeffrey Altman> CIFS ?
[11:00:09] <Jeffrey Altman> does Microsoft reserve any "account names"?
[11:00:21] <nico> I've used three-component princ names for other things in the past
[11:02:12] <Jeffrey Altman> why wouldn't it be on an ACL?
[11:02:20] <leifj> stupid question time: can't we just reserve a domain-type realm and bless it as the anonymous realm?
[11:03:28] <nico> we could
[11:05:04] <nico> I really doubt that there will be a collision on this name
[11:05:21] <nico> but I do think we need an authz-data element for anonymity and pseudonymity
[11:06:34] <nico> how's the audio stream?
[11:06:42] <Jeffrey Altman> audio is good
[11:07:09] --- lha has joined
[11:07:19] <leifj> isn't the general idea that as soon as you have anonymous tickets you can re-introduce the right level of identification for your application in (say) saml assertions ?
[11:07:36] <nico> and in authz-data, yes
[11:07:42] <leifj> yes
[11:08:03] <nico> leifj: so, are you saying that we'll have authz-data anyways?
[11:08:04] <jhutz> maybe we need to turn down the level a notch on larry's mic, too
[11:08:57] <leifj> I don't know - there might be applications which only need anonymity and nothing else. Especially with your suggestion of anonymous@SOME.REAL.REALM
[11:09:11] <nico> yes
[11:09:19] <nico> that would be my retort
[11:09:39] <nico> jhutz: is suggesting that we need to do something general w.r.t. namespace reservations
[11:09:52] <nico> I'm not sure where he's going with that
[11:11:02] --- wrstuden has joined
[11:11:08] --- quinn has joined
[11:11:14] <nico> jhutz made an ugly face
[11:11:22] <nico> at my suggestion at the mic
[11:13:38] <tlyu> oh look i appear to have love's name as a last name
[11:13:42] <nico> how much time do we have?
[11:13:50] <nico> will we have time for extensions?
[11:14:18] --- nov has left
[11:15:25] --- saber has joined
[11:15:36] * nico worries about how to ensure that the issued ticket really is anonymous
[11:16:06] <nico> authenticated plaintext and all that
[11:17:23] <Jeffrey Altman> lost audio
[11:18:18] <jhutz> You don't have any now?
[11:18:38] <jhutz> Aaron is talking about the issue he thinks he found in Larry's anonymous draft
[11:19:23] <Jeffrey Altman> nope,none
[11:19:39] <nico> ok, so that's the sort of thing I was just saying I was worried about
[11:20:04] <pbh> also lost audio and a local rstart didn't help
[11:22:17] <Jeffrey Altman> could someone please scribe?
[11:22:37] <nico> are the slides online?
[11:22:48] <Jeffrey Altman> slides are online. I'm trying to convert them to PDF
[11:23:04] <nico> should be sufficient
[11:23:16] <leifj> this was more or less a straight narrative of the slides
[11:23:47] <leifj> nico claims this is a problem which stems from the fact that not all plaintext is authenticated
[11:23:56] <leifj> some discussion around this
[11:24:00] <nico> I claimed no such thing
[11:24:21] <leifj> k - nico will say what he said ...
[11:24:45] --- saber has left: Logged out
[11:25:18] --- jhutz has left: Disconnected
[11:25:40] <lha> I converted the slides, jhutz have them
[11:25:46] --- saber has joined
[11:26:01] <Jeffrey Altman> if jhutz adds me to the krb-wg acl I can upload the ones I produced
[11:26:12] <nico> I asked
[11:26:33] --- jhutz has joined
[11:26:35] --- kdz has joined
[11:26:43] <nico> I asked if solving the authenticated plaintext problem would be sufficient
[11:26:48] <jhutz> I have the ones from Love. They are on the gco site now.
[11:26:55] <nico> there is the issue of binding the ticket and reply
[11:26:55] <jhutz> I am about to upload to the IETF proceedings.
[11:27:06] <nico> which I consider part of the authenticated plaintext problem
[11:27:23] --- mwchapel has joined
[11:27:35] <nico> if we authenticate the plaintext, by which I mean the entire requests and replies
[11:27:50] <Jeffrey Altman> audio is back
[11:28:07] <nico> then the existing binding between of reply to request ought to suffice
[11:28:21] <nico> thought I'd certainly like stronger reply-to-request bindings
[11:30:11] --- nov has joined
[11:30:53] <jhutz> Files are uploaded to the IETF meeting materials page, including an updated agenda.
[11:31:14] --- kdz has left
[11:31:55] <Jeffrey Altman> mic please (to Sam)
[11:32:36] <nico> sam provided an answer
[11:32:50] <jhutz> can people here tom right now?
[11:33:21] --- leifj has left
[11:34:31] <nico> the PA-TGS-REQ AP-REQ authenticator has a checksum of the TGS-REQ
[11:38:48] <nico> we don't have such a checksum on AS-REQ bodies though, do we
[11:39:16] --- masahiro has left: Replaced by new connection
[11:39:17] <nico> i.e., PA-ENC-TIMESTAMP does not provide any such authentication, unlike PA-TGS-REQ
[11:39:32] <hartmans> No, we do not.
[11:39:34] <hartmans> So you can definitely swap replies.
[11:41:43] <nico> right, so we should either do something about that
[11:42:00] <nico> (extensions)
[11:43:25] <Jeffrey Altman> sam please use the mic
[11:43:48] <hartmans> This is fixed in extensions.
[11:44:23] <hartmans> O, hey, no it isn't.
[11:45:13] <hartmans> Particularly given that we don't know how we would rework to fix this
[11:45:54] --- lha has left: Replaced by new connection
[11:46:03] <nico> huh?
[11:46:08] <nico> sam is going to the mic
[11:46:20] --- lha has joined
[11:48:04] --- lha has left: Replaced by new connection
[11:50:47] --- psangster has joined
[11:53:04] <Jeffrey Altman> I think we need to go with the Security Considerations approach
[11:53:25] <Jeffrey Altman> are we going to discuss referrals?
[11:53:42] <Ken Raeburn> Only if there's time, it seems.
[11:55:18] --- gtw has joined
[12:00:31] --- nov has left: Replaced by new connection
[12:01:07] --- nov has joined
[12:02:17] --- BrianTung has joined
[12:04:41] --- nov has left: Replaced by new connection
[12:06:10] --- nov has joined
[12:08:39] <pbh> repeat the question
[12:08:44] --- wrstuden has left
[12:08:50] <Ken Raeburn> "What about rfc4121?"
[12:08:56] <Ken Raeburn> (it uses md5 hashes)
[12:08:57] <pbh> thanks
[12:10:01] --- leifj has joined
[12:10:24] <Ken Raeburn> (Hmm, too bad we don't have a way of broadcasting the projector data to the net... would probably be a low-bandwidth video feed...)
[12:12:08] --- gtw has left
[12:13:28] --- psangster has left
[12:14:14] <Jeffrey Altman> it would be easy
[12:14:22] <Jeffrey Altman> jhutz should edit the file in afs
[12:14:27] <Jeffrey Altman> and save it periodically
[12:16:03] --- psangster has joined
[12:16:40] <Ken Raeburn> No, I meant generically -- every presentation; as long as it's not actual video, it shouldn't take much bandwidth.
[12:16:49] --- psangster has left
[12:16:52] --- nico has left
[12:19:27] --- psangster has joined
[12:22:43] --- pbh has left
[12:22:57] --- Ken Raeburn has left
[12:23:00] --- tlyu has left: Logged out
[12:24:41] --- hartmans has left
[12:25:09] --- bcneuman has left
[12:28:09] --- leifj has left
[12:28:17] --- BrianTung has left
[12:30:50] --- nov has left
[12:31:11] --- mwchapel has left
[12:31:40] --- tanupoo has left
[12:32:36] --- psangster has left
[12:33:33] --- saber has left
[12:33:51] --- warlord has left
[12:37:23] <jhutz> That's an interesting idea. Maybe I'll think about how to do it.
[12:37:26] --- jhutz has left
[12:37:32] --- sc has left
[12:38:22] <Jeffrey Altman> by original plan was to grab a web cam that would take photographs once a minute and save them to afs
[12:39:00] --- Jeffrey Altman has left
[12:59:30] --- LOGGING STARTED
[12:59:40] --- jas has joined
[13:03:30] --- LOGGING STARTED
[13:04:40] --- jas has joined
[13:42:33] --- quinn has joined
[15:12:20] --- jas has left
[16:10:43] --- gtw has joined
[16:10:58] --- gtw has left
[16:35:50] --- quinn has left