[03:39:20] --- aelvin has joined
[03:39:36] --- aelvin has left
[05:03:51] --- Simon Josefsson has joined
[08:08:36] --- hartmans has joined
[08:08:43] --- hartmans has left
[08:11:08] --- lukeh has joined
[08:29:50] --- raeburn has joined
[08:38:53] --- IETF Meeting Room has joined
[08:39:53] --- jhutz has joined
[08:40:47] <raeburn> Does the audio feed to the net work?
[08:41:43] <jhutz> Still checking that.
[08:42:05] <jhutz> Good morning, and welcome to the 66th IETF and to the Kerberos Working Group.
[08:42:19] <raeburn> Well, yes, I was hoping maybe someone in the chat room was listening to the feed too...
[08:42:50] <jhutz> Audio for this room will be available at http://videolab.uoregon.edu/events/ietf/ietf667.m3u
[08:43:10] <jhutz> You already know the jabber room is krb-wg@jabber.ietf.org (not rooms.jabber.ietf.org). Tell your friends.
[08:43:40] <jhutz> The agenda and presentations will be available online shortly, at https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=66
[08:45:45] --- Jeffrey Altman has joined
[08:46:01] * Jeffrey Altman has changed the subject to: 66th IETF - Kerberos Working Group - Room 519A
[08:50:35] --- IETF Meeting Room has left: Disconnected
[08:51:13] --- IETF Meeting Room has joined
[08:51:40] --- tlyu@jis.mit.edu has joined
[08:52:02] --- lha has joined
[08:52:43] --- Jeffrey Altman has left: Replaced by new connection
[08:53:10] --- bcneuman has joined
[08:53:26] <jhutz> Good morning, Cliff. Thanks for getting up to join us.
[08:53:45] <bcneuman> FYI, I hear the adio feed fine (I recognized jhutz's voice)
[08:54:05] --- nico has joined
[08:54:45] <jhutz> For the information of people in this room but not present physically, we are trying an experiment today in krb-wg, kitten, and SASL.
[08:55:49] <jhutz> We have an extra laptop and projector, set up to display the jabber room so everyone present can see it.
[08:56:05] <jhutz> So, no snide comments, please
[08:56:15] <jhutz> Well, at least keep them to a minimum.
[08:56:52] --- leifj has joined
[08:58:35] --- hartmans has joined
[09:00:43] --- Jeffrey Altman has joined
[09:01:27] <Simon Josefsson> I lost audio... anyone else with similar problems?
[09:01:37] <lukeh> Doesn't work for me but could be firewall
[09:03:00] <hartmans> No one is talking.
[09:03:13] <Jeffrey Altman> I requested that the audio gain be raised.
[09:03:34] --- saber has joined
[09:03:37] <Simon Josefsson> The server were down, seem to be back now.
[09:03:52] <Jeffrey Altman> is the audio volume ok?
[09:03:54] --- larry has joined
[09:04:08] <hartmans> saber: You are here, but your co-authors are not?
[09:04:34] <saber> I guess they are in their way
[09:05:43] <bcneuman> I am not getting audio. I just tried restarting the auid but still no luck.
[09:05:53] <hartmans> O, I thought that several were still in Japan and could not make this meeting.
[09:06:00] <Simon Josefsson> Same here. I get a 404 from the audio server.
[09:06:03] --- masahiro has joined
[09:06:35] --- nov has joined
[09:07:02] <jhutz> We're working on getting the audio server fixed.
[09:08:25] <hartmans> Do we want to scribe here or ill the projection not work well with that
[09:08:56] <Simon Josefsson> Audio working now
[09:09:19] <Jeffrey Altman> scribing to Jabber to should be fine with the projection
[09:09:51] <bcneuman> Got audio fine now.
[09:21:25] --- nico has left
[09:21:31] --- nico has joined
[09:26:05] <nico> is there no scribing?
[09:26:18] <nico> just note taking?
[09:26:51] <hartmans> Larry i scribing to presumably Wor
[09:28:04] --- Melinda has joined
[09:31:56] --- pbh has joined
[09:33:39] <hartmans> Is he being picked up by the audio feed?
[09:34:18] <saber> yes, fine for me
[09:35:07] <jhutz> Anyone with cell phones in the meeting room, please insure they are turned off or set to silent mode. Thanks.
[09:36:35] --- wyllys has joined
[09:38:21] <hartmans> How much of that is network delay, how much of that is CPU?
[09:38:46] <jhutz> There will be time for questions at the end.
[09:39:28] <nico> uhm, how do you roam realms?
[09:39:59] <lha> realms doesn't roam, the user roam
[09:40:05] <hartmans> Jeff, sure, but the point of jabber is to ask questions during:-)
[09:40:06] <saber> afaik KDC and client are in the same link
[09:40:21] <jhutz> Yeah, but I doubt any of us can answer yours.
[09:40:35] <nico> lha: yes, sure, how does the user roam realms?
[09:40:56] <jhutz> The user roams to a foreign network where he has to auth in order to get network access.
[09:40:59] <lha> they have a proposal for that in the draft
[09:41:14] <jhutz> And he could do cross-realm to the "local" realm, if he could only talk to his home KDC to get a TGT
[09:41:42] <bcneuman> I am interested in how this relates (or if he looked at) any of the alterntives that were proposes for pkcross. These were put onhold pending pkinit completion which is not concluded, so perhaps it is time to ressurect that activity (perhaps a question for the charter discussion).
[09:42:07] <bcneuman> (that was which is now concluded)
[09:42:07] <nico> right, but what I thought I took away is that they want the user to get a new principal in the visited realm
[09:42:14] <nico> maybe I should read the doc :)
[09:42:19] --- semery has joined
[09:42:30] <hartmans> I don't want to charter anything that depends on ticket extensions until 1510ter is done, but I'd be happy to contemplate other stuff in that space.
[09:42:36] <lha> pk-cross waits for extentions :(
[09:43:10] <nico> well, we could bootstrap direct realm2realm paths using hierarchical paths and w/o PK
[09:43:33] <raeburn> I'm impressed that someone got the MIT code working on such small processors.
[09:44:00] <bcneuman> Actually, what is described here seems closer to an earlier version of pk-cross. There were two approaches, one of which depends on extensions. The other one was considered at one point for direct KDC-KDC communication, but that approach was subsequently reconsidered in light of the via the client version, and it is via the client version which was extensions gated.
[09:44:16] <lha> or we could be creative ticket and not need extentions
[09:44:30] <lha> creative with the ticket
[09:45:35] <nico> maybe we could do KDC-KDC through client u2u
[09:46:48] <Simon Josefsson> The no-PFS problem applies to non-cross-realm scenarios too, and I think it is a real problem.
[09:47:00] <saber> the KDC and the device are in the same link
[09:47:41] <saber> so network basically does small delay in proportion to the cpu delay
[09:47:48] <nico> got it
[09:47:52] <nico> the CPU is very slow
[09:48:13] <masahiro> right, it is 8-bit CPU
[09:48:31] <jhutz> At 22MHz, which is pretty fast for an 8-bit CPU :-0
[09:48:31] --- warlord has joined
[09:48:55] <hartmans> saber: That doesn't follow. There are some networks (low bandwith cellular) where two devices on the same link are very slow.
[09:49:13] <hartmans> But what I understand your statement to mean is that you had a reasonably fast network and you still had this speed problem.
[09:49:29] <saber> yeap
[09:50:02] <hartmans> OK. that is interesting.
[09:50:21] <masahiro> IIRC, the ported MIT code is not optimized for 8-bit CPU so it is incredibly slow, but it would be slow enough ;-) even we have optimized code.
[09:51:14] <hartmans> Yes, understood.
[09:51:24] --- jis has joined
[09:52:42] <bcneuman> Yes
[09:54:18] <bcneuman> Audio seemd to stop just after I said yes (or has it been quiet there).
[09:54:35] <bcneuman> Its working again.
[09:55:10] <jhutz> This presentation will be added to the web page in a moment...
[09:55:17] <raeburn> It was quiet here.
[09:56:42] <Jeffrey Altman> who is speaking?
[09:58:22] <nico> folks not physically present can't distinguish between audio-is-broken and noone-is-speaking
[09:58:31] <jhutz> Slides for this are now on the net.
[09:58:44] --- a.d.jaggard has joined
[09:59:10] <jhutz> Andrea Doherty is speaking
[10:01:11] <wyllys> she is very hard to hear.
[10:01:37] <nico> are you asking that she speak up or closer to the mic?
[10:01:37] <Jeffrey Altman> we are on the slide titled "Pre-authentication Exchange"
[10:01:57] <wyllys> either/or both (louder and closer).
[10:02:03] --- ShoichiSakane has joined
[10:02:18] <Jeffrey Altman> slide "PA-OTP-CHALLENGE"
[10:02:30] <wyllys> a little better
[10:03:42] <hartmans> What reply key is used?
[10:06:44] <jhutz> I don't see an answer to that in the slides
[10:07:25] <nico> I'm guessing a key derived from the OTP
[10:07:30] <nico> why isn't the s2k params enough?
[10:07:39] <nico> ^is^are
[10:07:46] * hartmans is unconvinced that pin change should be in the as-req/response chain.
[10:08:00] <nico> or are we talking about bootstrapping a shared secret for hardening?
[10:08:14] <hartmans> I think we are talking about bootstrapping.
[10:08:22] <jhutz> I think this is "you must change your PIN to proceed", like requiring a password change to log in
[10:08:48] <nico> on the ephemeral DH matter... Sam, where's your pre-auth framework? :)
[10:25:28] <bcneuman> There might ben an issue of understanding the timeline for extensions before deciding what other things should be in the charter, esp. wrt things that might be gated on extensions.
[10:26:17] <bcneuman> I am.
[10:27:00] <lukeh> yes
[10:27:06] <bcneuman> Yes - for preauth.
[10:27:11] <wyllys> yes - for preath
[10:27:19] <saber> yes for preaith
[10:33:25] --- ShoichiSakane has left
[10:33:34] --- ShoichiSakane has joined
[10:34:47] --- kwcoffman has joined
[10:35:06] --- camargo has joined
[10:35:59] <Simon Josefsson> Yep
[10:36:17] --- camargo has left
[10:36:27] <Simon Josefsson> FYI, the reason my draft expired is that I'm waiting for the extension mechanism.
[10:37:03] --- lukeh has left: Replaced by new connection
[10:37:33] <Simon Josefsson> I'd be happy to add channel binding is there is a good argument to do so.
[10:37:34] --- zrelli has joined
[10:38:19] --- bcneuman has left
[10:38:56] --- lukeh has joined
[10:41:44] --- lukeh has left: Replaced by new connection
[10:42:06] --- lukeh has joined
[10:43:26] --- bcneuman has joined
[10:43:43] --- Melinda has left
[10:44:04] <zrelli> Yes for cross-realm investigations
[10:44:08] --- jis has left: Logged out
[10:44:11] <a.d.jaggard> Yes for cross-realm
[10:44:57] <bcneuman> I'm back, but had some problem with a half dropped connection.
[10:47:29] --- lukeh has left: Replaced by new connection
[10:48:27] --- lukeh has joined
[10:48:46] <bcneuman> Yes for information model.
[10:48:56] <lukeh> Yes for the information model
[10:49:15] <a.d.jaggard> Probably yes for info. model
[10:49:19] <wyllys> yes for info.
[10:50:23] <wyllys> Can JHutz speak up or closer to the mic?
[10:51:49] <lukeh> I wonder if it is too late for standardization given the deployed base
[10:53:18] --- zrelli has left: Logged out
[10:53:30] <lukeh> I'm undecided
[10:53:30] --- saber has left: Lost connection
[10:53:33] --- a.d.jaggard has left
[10:53:36] --- nov has left
[10:53:42] <Simon Josefsson> Yes for informational model
[10:53:52] <lukeh> I mean, giving finite working group resources
[10:53:53] * nico is a don't care on this because I think this would a fine individual submission
[10:53:56] --- saber has joined
[10:54:35] <Simon Josefsson> Informational/individual would be fine for me too
[10:55:13] <wyllys> individual submission is probably the only way it will ever get done.
[10:55:22] <nico> basically, I don't think making it a WG work item will help get it done
[10:55:40] <Simon Josefsson> I tend to agree with wyllys and nico here...
[10:55:41] <wyllys> obviously, the WG has been talking about it for YEARS and still not much progress has been made.
[10:56:00] <jhutz> actually, the wg really hasn't been talking about it
[10:56:13] <wyllys> well, people within the WG have been talking about it then.
[10:57:10] <wyllys> yes, I am ok with Sam's statement.
[10:57:10] <Simon Josefsson> basically, i'd like to see it done. i don't care how. I'm using leif's info model in shishi, translated into a rough C API. it has good ideas in it.
[10:57:41] <jhutz> ... and they've been working on it
[10:58:40] --- kwcoffman has left
[10:58:47] --- kwcoffman has joined
[11:00:59] <leifj> I commented off-mic that I don't really care if it is individual or wg
[11:03:53] <warlord> krb-wging? "EEP! I'm Wigging Out!"?
[11:03:58] --- Simon Josefsson has left
[11:05:09] <leifj> "kerbing"
[11:08:53] <bcneuman> I have some minor comments on these which I will send to Larry.
[11:10:42] --- a.d.jaggard has joined
[11:11:24] <bcneuman> But removing restrictions from an new anonmymous identity might be OK. I have to think about this.
[11:12:24] <bcneuman> Basically, the reason you were not allowed to remove restrictions was that the ticket otherwise implied an identity and you didn't want a new ticket to have the same identity without the restriction. If the ticket does not imply an identity, then it might be OK to remove restrictions, but this might need some thought before I am willing to say this should be OK.
[11:12:55] <bcneuman> You may be usinig the term critical incorrectly.
[11:13:35] <bcneuman> (please relay my comments to the discussion)
[11:16:37] <bcneuman> I will write up some discussion and send it to the list.
[11:20:29] <jhutz> thanks
[11:28:41] --- stefans has joined
[11:28:59] --- hartmans has left
[11:29:14] --- jhutz has left
[11:29:23] <bcneuman> I will send Ken my thoughts on trust issues for the server referrals, which might result in an update to the security considerations.
[11:29:35] --- jhutz has joined
[11:29:44] --- leifj has left
[11:31:13] <bcneuman> I will also do so.
[11:32:19] --- tlyu@jis.mit.edu has left
[11:32:29] --- ShoichiSakane has left
[11:32:32] <raeburn> Thanks.
[11:32:44] --- Jeffrey Altman has left
[11:32:55] --- lha has left
[11:33:14] --- raeburn has left: Disconnected
[11:33:17] --- bcneuman has left
[11:33:19] --- a.d.jaggard has left
[11:33:31] --- warlord has left
[11:34:57] --- nico has left
[11:35:13] --- IETF Meeting Room has left: Disconnected
[11:35:17] --- wyllys has left
[11:35:22] --- nico has joined
[11:37:09] --- nico has left
[11:37:55] --- jhutz has left: Disconnected
[11:40:07] --- kwcoffman has left
[11:44:04] --- saber has left
[11:50:30] --- stefans has left
[12:01:38] --- masahiro has left
[12:32:00] --- pbh has left
[12:54:37] --- masahiro has joined
[13:00:09] --- semery has left
[13:10:54] --- masahiro has left
[13:19:07] --- stefans has joined
[14:05:40] --- nov has joined
[14:05:55] --- nov has left
[14:16:40] --- jhutz has joined
[14:27:52] --- jhutz has left
[15:20:57] --- stefans has left
[16:01:31] --- larry has left
[16:09:04] --- stefans has joined
[16:32:45] --- stefans has left
[16:50:31] --- nov has joined
[16:56:42] --- nov has left
[19:00:30] --- LOGGING STARTED