IETF
krb-wg
krb-wg@jabber.ietf.org
Friday, 18 November 2011< ^ >
jhutz@jis.mit.edu/owl has set the subject to: krb-wg meeting IETF 81 http://tinyurl.com/ietf81-krb-wg-audio
Room Configuration

GMT+0
[00:52:39] jimsch1 joins the room
[00:52:58] tlyu joins the room
[00:53:18] Thomas Hardjono joins the room
[00:58:10] sftcd joins the room
[00:58:13] semery joins the room
[00:59:12] <sftcd> thomas - you're remote right?
[00:59:40] <Thomas Hardjono> Yes.
[00:59:52] Satoru Kanno joins the room
[01:00:01] <sftcd> just checking in case you're magically arrived:-)
[01:00:11] <sftcd> usual "mic:" thing if you want stuff stated
[01:00:27] hbhotz joins the room
[01:02:58] <Thomas Hardjono> ok, thanks.
[01:07:49] nico joins the room
[01:07:56] <nico> hi
[01:08:12] <nico> cooking dinner
[01:08:30] <sftcd> audio is at http://ietf82streaming.dnsalias.net/ietf/ietf827.m3u
[01:08:32] hbhotz leaves the room
[01:08:39] sftcd has set the subject to: krb-wg meeting IETF 82
[01:08:54] <nico> yes, I've got audio
[01:09:17] Sean Turner joins the room
[01:10:45] hbhotz joins the room
[01:11:19] <hbhotz> Test?
[01:12:16] <nico> what would it take to develop a new prep?
[01:12:21] <nico> I'm ok with using SASLprep
[01:12:24] <nico> just very sad
[01:12:25] <sftcd> @nico: for the mic?
[01:12:31] <nico> if you want
[01:12:39] <nico> I'm not sure it's a consequential comment
[01:12:46] <sftcd> skip it so
[01:15:27] <nico> was afk; what's the current subject?
[01:15:46] <sftcd> some other comment of simon's
[01:15:53] <tlyu> otp hexadecimal/decimal/alphanumeric
[01:15:55] <nico> ah
[01:15:57] <nico> yes
[01:16:01] <nico> don't prep those!
[01:16:11] <nico> if it's all ASCII alphanum, leave it
[01:18:57] <nico> which I-D is this?
[01:19:07] <sftcd> http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-13
[01:19:10] <nico> thanks
[01:20:22] <nico> looking
[01:20:44] <semery> preauth
[01:21:27] <sftcd> moving on to kdc-model leif presenting
[01:22:05] <sftcd> there's a status slide
[01:22:56] Shoichi Sakane joins the room
[01:23:13] Shoichi Sakane leaves the room
[01:24:45] <nico> someone relay this to Sam (or ask him to join the room): can we say that server alias referrals can be done using FAST for TGS and having the KDC return the correct ticket, which the client then has to inspect to see if the sname changed?
[01:24:57] <sftcd> will do
[01:25:16] <sftcd> actually I don't see him on jabber at all, nico so you may as well email it
[01:25:41] Thomas Hardjono leaves the room
[01:25:42] Thomas Hardjono joins the room
[01:25:47] <sftcd> but i can mention it when leif's done if you want
[01:25:51] <nico> well, but he's in the physical room :)
[01:25:56] <nico> sure, thanks
[01:30:17] <nico> I'll review the issue
[01:30:21] <nico> and then comment
[01:30:30] <nico> I missed the discussion on the audio
[01:30:34] <nico> because I was cooking :)
[01:33:43] <nico> IMO we should have: a) shcema and direct object access for a lot of things, but b) *operations*
[01:33:47] <nico> LDAP has extended operations
[01:34:08] <nico> so if you want to do operations like set/change password/keys via LDAP, then do it via extended operations
[01:34:25] <nico> it is important to be able to manipulate all keys directly
[01:34:31] <nico> itparticularly to fetch them
[01:34:46] <nico> I do want to be able to store keys with some separation from the DS
[01:34:57] <nico> feel free to channel me on this
[01:35:13] <sftcd> all of that?
[01:35:28] <sftcd> better if you put "mic:" in front of what you'd like said
[01:35:37] <nico> well, just tell them my comments are in the room
[01:35:41] <sftcd> ok
[01:35:44] <nico> yes, all of that
[01:36:08] <nico> thanks!
[01:36:15] <nico> (sorry there's so much)
[01:36:36] <nico> ok
[01:36:38] <nico> on the list
[01:36:57] <sftcd> ack
[01:40:08] <nico> dude, with a canon flag
[01:40:20] <nico> mic: Sam, that'd be only if the right flag is set
[01:40:59] <nico> ok
[01:41:03] <nico> audio cut out
[01:41:37] <nico> audio back
[01:41:41] <sftcd> on to gss-preauth
[01:41:49] <nico> I missed everything past "please include a use case"
[01:42:17] <sftcd> that was basically it, sam asked you to take it to the list with a use-case included
[01:42:47] <jimsch1> State what case it is useful in and what the change gets users in thoses cases that is not currently happening
[01:43:46] <nico> I really like the protocol transition scheme
[01:44:27] weiyinxing joins the room
[01:44:35] <nico> I want GSS pre-auth, but maybe it's for sentimental reasons
[01:49:21] <nico> mic: regarding PAC/PAD, I've been wondering whether it wouldn't be better (to reduce ticket size) to have the PAC/PAD bear anonymous credentials authorized to make the lookup operations that would yield what would have been the contents of the PAC/PAD instead
[01:49:53] <hbhotz> Must be more general than just LoA 1-4. Also different org's may evaluate the NIST levels using different policies.
[01:50:01] <nico> mic: Tom, why not just include the client cert in authz-data?
[01:50:57] <sftcd> @nico: Jim's in queue for you
[01:51:05] <nico> thanks!
[01:51:09] <hbhotz> Doug Engert has suggested that. Given it's a PKINIT authentication that makes sense.
[01:51:53] <hbhotz> If it's an OTP authentication then what? (Depends on local policy and the deployment standards.)
[01:51:54] <nico> are LOAs mere assertions?
[01:52:05] <nico> if so, why not just.. carry them?
[01:52:43] <nico> hbhotz: in the OTP case, why not include a TBSCertificate without the subjectPublicKey
[01:53:08] <nico> (or with a bogus, very short subjectPublicKey)
[01:53:16] <hbhotz> I'm not opposed to just having a single number which is the local-policy-defined LoA for whatever authent was done.
[01:53:35] <nico> LoA could just be name@domain
[01:53:52] <nico> with some standard LoAs defined
[01:54:17] <hbhotz> Also not opposed to manufactured TBSCertificate, though that brings in a fair amount of complexity.
[01:54:43] <nico> sam: like a SID? I'd be happy to standardize SIDs, FYI, but we'd want MSFT to be willing to do that too
[01:54:56] <nico> hbhotz: not really
[01:55:09] <nico> I'm willing to review
[01:55:18] <hbhotz> How does name@domain define LoA? Are you assuming that "domain" is LoA?
[01:55:28] <Thomas Hardjono> Mic: Thomas is willing to write and review
[01:55:31] <nico> no, domain would define the name part
[01:55:50] <nico> huh; there's no wikipedia page for LoA
[01:56:01] <hbhotz> Level of Assurance
[01:56:06] <nico> i know
[01:57:11] <hbhotz> for NIST it's an integer 1..4. 1 is password sent over-the-wire. 4 is 2-factor hardware token suitable for operations that might affect human life.
[01:57:36] Melinda joins the room
[01:58:00] <nico> hbhotz: so what? we could represent them as <number>@nist.gov.us
[01:58:32] <hbhotz> Oh, so that's what you mean by "domain".
[01:58:44] <nico> yes
[01:58:48] <nico> like SSHv2
[01:58:57] <nico> domain here would be like "registry"
[01:59:20] <nico> LoA-name@LoA-registry-name
[01:59:28] <hbhotz> is URL a better framework? Just thinking out loud.
[01:59:44] <nico> URN
[01:59:53] <nico> yes
[01:59:58] <hbhotz> K :-)
[02:00:04] <nico> :)
[02:00:30] <nico> I don't mind having this complexity in the KDC
[02:00:39] <nico> I do mind having this complexity in the RP
[02:02:50] semery leaves the room
[02:04:19] <Thomas Hardjono> We still have an hour I think. Are we done?
[02:04:24] weiyinxing leaves the room
[02:04:27] <nico> well
[02:04:32] <nico> we could talk about all sorts of things
[02:04:36] <nico> rcache avoidance...
[02:04:44] <nico> more GSS pre-auth
[02:04:51] <nico> more protocol transition
[02:04:59] <nico> but it seems no one wants to
[02:05:08] <hbhotz> Where the nearest vending machine is, since I'm at work, not in the kitchen.
[02:05:18] <hbhotz> :-)
[02:07:11] <Thomas Hardjono> Anyone left in the meeting room?
[02:10:12] jhutz@jis.mit.edu/owl joins the room
[02:13:20] Melinda leaves the room
[02:14:19] <Thomas Hardjono> Bye all.
[02:14:28] Thomas Hardjono leaves the room
[02:14:43] hbhotz leaves the room
[02:14:52] nico leaves the room
[02:14:54] <jhutz@jis.mit.edu/owl> Some slides are up, btw
[02:15:07] sftcd leaves the room
[02:15:50] Sean Turner leaves the room
[02:20:20] jimsch1 leaves the room
[02:24:51] Sean Turner joins the room
[02:25:24] Sean Turner leaves the room
[02:27:30] tlyu leaves the room
[02:54:07] yaovct joins the room
[02:54:11] yaovct leaves the room
[03:00:51] Satoru Kanno leaves the room
[03:07:46] TACHIBANA toshio joins the room
[03:07:52] TACHIBANA toshio leaves the room
[03:08:53] jimsch1 joins the room
[03:09:02] jimsch1 leaves the room
[03:17:27] hbhotz joins the room
[03:17:53] hbhotz leaves the room
[03:22:10] Satoru Kanno joins the room
[03:29:36] Satoru Kanno leaves the room