[00:03:35] --- hartmans has joined
[02:47:09] --- hartmans has left
[08:12:15] --- DougEngert has joined
[08:12:30] <DougEngert> Good Morning Ken
[08:53:16] --- DougEngert has left
[09:47:17] --- N7DR has joined
[10:02:25] --- N7DR has left
[10:14:42] --- Doc Evans has joined
[10:16:41] --- Doc Evans has left
[10:17:23] --- Doc Evans has joined
[11:09:10] --- larry has joined
[11:09:33] <larry> huh, I am here too1
[11:12:56] <Doc Evans> Hi, Larry
[11:24:55] <larry> hi, good morning Doug
[11:26:37] <Doc Evans> Doug's not here
[11:26:57] <Doc Evans> Just you and me
[11:27:09] <Doc Evans> Ken is loggesd in, but I assume that he's sleeping
[11:38:03] --- jas has joined
[11:58:00] --- Doc Evans has left
[11:58:43] --- Doc Evans has joined
[11:59:15] --- Doc Evans has left
[11:59:23] --- Doc Evans has joined
[11:59:28] --- Doc Evans has left
[12:00:25] --- Doc Evans has joined
[12:01:56] <Doc Evans> Sorry about the multiple joins... trying to configure Psi so that it does the right thing, and it seems to need to be stopped and re-started for some of the changes to work properly
[12:13:30] --- jas has left: Disconnected
[12:15:23] --- Doc Evans has left
[12:40:51] --- Doc Evans has joined
[14:20:04] --- DougEngert has joined
[14:21:28] <DougEngert> Checking of this works from the office.
[14:21:28] --- larry has left: Lost connection
[16:16:16] --- DougEngert has left
[16:16:16] --- raeburn has left: Lost connection
[16:24:14] --- jas has joined
[16:39:45] --- larry has joined
[16:46:46] --- raeburn has joined
[16:47:36] <raeburn> Hello. Good morning/afternoon/evening, as appropriate...
[16:48:16] <larry> is there anything happening here?
[16:48:17] <raeburn> (Is anyone who's on right now actually in Seoul? It's something like 8AM there now, isn't it?)
[16:48:32] <Doc Evans> good afternoon
[16:49:01] <Doc Evans> I don't think that any Seoul people are here
[16:51:10] <Doc Evans> Time for tea here
[17:18:13] --- DougEngert has joined
[17:18:14] --- raeburn has left: Lost connection
[17:18:14] --- Doc Evans has left: Lost connection
[17:22:54] --- BCNeuman has joined
[17:23:36] <BCNeuman> Hello all, if my timezones are correct, I think the meeting starts in half an hour?
[17:25:11] --- warlord has joined
[17:26:57] <DougEngert> I hope so
[17:30:33] --- Kerberos WG has joined
[17:30:53] <Kerberos WG> Hello.
[17:31:05] --- Kerberos WG has left
[17:31:28] --- Eric Rosenfeld has joined
[17:32:09] <DougEngert> So who is/was "Kerberos WG"?
[17:32:24] <Eric Rosenfeld> um, that was me. I put in incorrect nickname.
[17:33:01] --- Doc Evans has joined
[17:33:08] <DougEngert> OK, thought it might be someone at the meeting.
[17:38:12] --- kenh has joined
[17:38:53] <kenh> howdy all.
[17:39:15] <DougEngert> Ken, Are you at the meeting?
[17:39:22] <kenh> affirmative.
[17:39:39] <DougEngert> Well tel us how things are going?
[17:40:03] <kenh> okay ... right now it's still 15 minutes before it starts :-)
[17:45:17] --- tlyu has joined
[17:46:38] --- jaltman has joined
[17:47:07] <warlord> who is the jabber scribe here?
[17:47:21] <Doc Evans> The best typist in the room, I hope
[17:47:28] <jaltman> hello all
[17:49:07] <jaltman> is there multicast for this session?
[17:49:25] <warlord> unlikely based on the room
[17:49:38] <jaltman> mine has a nice view :)
[17:49:39] --- hartmans has joined
[17:49:43] <kenh> I offered to be the jabber scribe, but I'm not sure if I'll be the best scribe. Obviously, I can't produce regular notes at the same time.
[17:50:24] <hartmans> Cliff, do you believe there are any outstanding issues on clarifications?
[17:50:36] <hartmans> I'm digging up your mail
[17:50:39] --- raeburn has joined
[17:50:57] --- jhutz has joined
[17:51:54] <jhutz> where's Brian?
[17:52:14] <BCNeuman> I do not believe that there are. There was on issue where that had been discussion, but no consensus that I did not include an update for. Sam later mentioned that he said he was OK with the change, but I don't think it was a significant change anyway, so I am hoping this goes through as it is.
[17:52:16] <jhutz> There is not multicast. We asked, but we did not get it
[17:52:44] <jaltman> thanks for asking
[17:53:07] <jhutz> We'll wait a couple of minutes longer, since it's not actually 9 yet
[17:53:17] <jhutz> Maybe we can hold the next interim meeting on jabber...
[17:53:44] <warlord> we'd need a jabber-based white-board app. does one exist?
[17:53:46] <DougEngert> Looks like most of the WG is on line.
[17:53:55] --- lha has joined
[17:53:59] <Doc Evans> There's an experimental JEP on whiteboarding
[17:54:05] <Doc Evans> but nothing solid
[17:55:03] <BCNeuman> The one issue I was referrig to was the new text for the ctime, cusec, cream, cname, realm and sname fields.
[17:55:14] <hartmans> Nod
[17:55:55] <BCNeuman> Did Brian confirm he would be on. I'm at home now (went home to install gabber and take the conference participation from here).
[17:56:36] <BCNeuman> I'm calling Brian now, but not getting an answer.
[17:57:41] <kenh> Okay, I guess I'm scribe.
[17:57:54] <kenh> Jeff Hutzelman is opening the meeting.
[17:57:59] <DougEngert> Who is at the meeting that is not on Jabber?
[17:58:11] <kenh> love and wyllys ingersoll.
[17:58:37] <kenh> jhutz: Welcome to krb-wg. Doug Engert could not be here today.
[17:58:53] <BCNeuman> I just spoke to Brian. He plans to be on, but has to get his jabber client started.
[17:59:16] <kenh> Call for volunteers: scribe, jabber, and mic interface.
[17:59:30] <kenh> me for jabber scribe, love for mic interface.
[17:59:33] <lha> I'm supposed to be a mic interface for you all jabber people
[18:00:12] <kenh> no scribe currently, jhutz will synthesize them.
[18:01:12] <kenh> agenda bashing: no comments.
[18:01:21] <kenh> first item on agenda: crypto framework.
[18:01:29] <hartmans> Ken issues resolved with crypto?
[18:01:37] <kenh> raeburn believes all issues are resolved.
[18:02:18] <kenh> AD (Russ) checked the current status, said new draft cleared Allison's discuss, only thing left is Thomas Narden's.
[18:02:47] <kenh> next up: clarifications. Author believes all issues are resolved.
[18:03:08] <kenh> Russ: three discussion items, will require more work.
[18:03:33] <BCNeuman> I have not seen any subseqent comments from Russ. What are the issues?
[18:03:37] <kenh> Next: GSSAPI-CFX. Issues were brought up, document author submitted a new version before cut-off.
[18:03:55] <raeburn> Ah, good. I kept forgetting to let Russ & Thomas know the new version was in. :-(
[18:04:21] <raeburn> (of crypto. sorry, i'm a little slow)
[18:04:32] --- alexeymelnikov has joined
[18:04:35] <kenh> It is believes that all issues are resolved with GSSAPI-CFX.
[18:04:45] --- rlbob has joined
[18:04:55] <kenh> hartmans: I believe we're in pretty good shape regarding kerberos extensions.
[18:05:22] <kenh> hartmans: Authors have gotten together, shared CVS repository to resolve bottleneck issues.
[18:05:59] <kenh> hartmans: IESG wanted them to use a different issue tracker than the one that they're using, not a big deal.
[18:06:12] <kenh> hartmans: Big issue is text - we don't have any.
[18:06:41] <kenh> hartmans: Meanwhile, Tom Yu has never liked the structure of extensions, and has a draft for an alternative proposal.
[18:06:52] <kenh> jhutz: Questions/comments about extensions?
[18:07:10] <jaltman> Tom: what is your proposal?
[18:07:37] <kenh> hartmans: draft-yu-krb-wg-kerberos-extensions-00
[18:07:45] <jaltman> thanks
[18:08:07] <kenh> hartmans; Alternate document structure for extensions - ideally draft describes same wire protocol.
[18:08:25] <kenh> hartmans: Clarifications is both too verbose and too unclear.
[18:08:35] <kenh> hartmans; Content is duplicated between sections 3 and 5.
[18:09:19] <kenh> hartmans: E.g., you have to refer back and forth between sections 3 and 5 to understand the complete message semantics.
[18:09:38] <kenh> hartmans: motivations are to fix these issues.
[18:09:51] <jaltman> http://www.ietf.org/internet-drafts/draft-yu-krb-wg-kerberos-extensions-00.txt
[18:10:28] <kenh> hartmans: Goals - give document hierarchical reorg, put sematics in one place, integrate semantics and message definitions, remove implementation-specific details (e.g, kdb description in rfc1510)
[18:11:11] <kenh> hartmans: Accomplishing these goals: Move all overview material to beginning before message descriptions.
[18:12:18] <kenh> hartmans: Treat TGS and AS request as specializations of more general KDC request. Tom believes it will be easier to to understand if requests are described more generally and describes differences between TGS_REQ and AS_REQ.
[18:12:33] <kenh> hartmans: Describe in terms of ASN.1 types.
[18:13:18] <kenh> hartmans; New document layout - Overview, basic concepts, individual sections for three protocols of Kerberos (each protocol described seperately).
[18:13:51] <kenh> hartmans; Description of overivew - Trusted third party, identify parties in Kerberos exchanges.
[18:14:16] <kenh> hartmans: Basic Kerberos concepts - ASN.1 usage, principals, encrypted data (ref to crypto framework), composition of tickets.
[18:14:32] --- BrianTung has joined
[18:15:06] --- BrianTung has left: Disconnected
[18:15:13] <kenh> hartmans: Three protocols - Credential acqusition (AS_REQ/TGS_REQ), Application Authentication (AP_REQ), Session key usage by applications.
[18:15:45] --- BrianTung has joined
[18:15:57] <kenh> hartmans: Credential acquisition - describe common elements of KDC request handling, better discussion of keys in this request, clear up timestamp handling.
[18:16:26] <BrianTung> OK, I'm on.
[18:17:43] <kenh> hartmans: Missing from document - discussion of naming issues, discussion of transport, instances of the typed holes (ETYPE_INFO2), empty sessions. All things clearly needed to be added, only reason they are missing is due to lack of time.
[18:19:32] <kenh> hartmans: Questions for WG - Is this structure easier to understand than clarifications, and how should we choose which structure to adpot?
[18:20:11] <kenh> hartmans: Note that ASN.1 is very different in extensions - one person has objected to this already.
[18:20:28] <kenh> russ: Summary of ASN.1 issues, please?
[18:21:00] <kenh> hartmans: In summary, we used nearly every feature we could get our hands on (like information object elements).
[18:21:32] <kenh> hartmans: note that an appendix will include the ASN.1 structure with the information elements templated out.
[18:22:10] <kenh> jhutz: Issue of what protocol we are or are not going to have is not relevant to this particular discussion.
[18:22:51] <jhutz> Slides for the presentation just finished are at http://www.cs.cmu.edu/~jhutz/extensions.pdf
[18:23:05] <kenh> jhutz: Three questions for WG
[18:23:24] <kenh> Who read tom's proposal?
[18:23:33] <hartmans> (We want answers from here)
[18:23:33] <kenh> (jhutz is asking jabber participants)
[18:23:52] <BCNeuman> I have read it.
[18:23:53] --- rickravaya has joined
[18:23:54] <raeburn> not in detail yet
[18:24:09] <DougEngert> Looked it over.
[18:24:19] <jaltman> I have just scanned it. I think the layout looks much easier to approach when compared to our previous texts.
[18:24:31] <Doc Evans> I scanned it and like the layout
[18:24:53] <Doc Evans> Someone not well-versed in this stuff might stand a chance of implementing it correctly quite quickly
[18:25:03] <kenh> jhutz: Do people think this is easier to understand than clarifications? (Already seen the answers from some jabber participants, more are welcome)
[18:25:26] <BCNeuman> Layout is cleaner, in part because I think we dispense with a lot that had to be in clarifications for completness and paralleling the original 1510.
[18:26:12] <raeburn> What I've looked at so far, yes, but that's not a lot.
[18:26:13] <kenh> jhutz: Unclear how to choose which structure we should adopt. What criteria do we think are important?
[18:26:24] <kenh> Tom, do you want to comment on this question?
[18:26:45] <Doc Evans> 1. Precision; 2. clarity for a developer who has never implemented this before
[18:26:51] <tlyu> i think clarity and good organization are important
[18:27:39] <tlyu> while i agree that we should not be writing a tutorial, we should still approach things in an orderly top-down fashion.
[18:27:54] <jaltman> I think there is a benefit to a re-org in that it will cause us to think about re-writing sections which we would not otherwise touch if we were simply extending upon Clarifications.
[18:28:25] <jaltman> Tom has already taken a big first couple of steps in this direction
[18:28:41] <jas> both documents need much more details if you want to implement it from the document only. the layout, while nice, can't compensate for lack of details.
[18:28:53] <kenh> jhutz: Looks like there is more support than not; will take this to the mailing list, will try to get it resolved in the first few days after we get back.
[18:29:27] <jhutz> [who is jas?]
[18:29:36] <jas> [simon josefsson]
[18:29:57] <warlord> [hi simon]
[18:30:03] <kenh> love: I think it is worth considering the cost it will take to rewriting the spec versus just starting from clarifications.
[18:30:28] <kenh> jhutz: Next item on agenda - PKINIT
[18:30:44] <kenh> jhutz: Note to jabber scribe - be extra careful.
[18:30:48] <hartmans> ==warlord Good to have other implementers here; hi Simon
[18:30:48] <lha> [love entries are tunning people in jabber]
[18:31:03] <BrianTung> I don't think it will be a problem, but I have to leave for about 20 minutes at 5:30 PST (that is, in about 55 minutes).
[18:31:03] <kenh> jhutz: draft-ietf-cat-kerberos-pk-init-18.txt
[18:31:41] <kenh> jhutz: Everything in here should be up-to-date, taking a bit longer than we hoped, but should be no more unforseen issues.
[18:32:01] <BrianTung> pk-init-18.txt includes mostly changes that were agreed on in principle in November.
[18:32:27] <BrianTung> I've done some of the things improperly (like the IMPORTS), but I've already begun fixing them in the pk-init-19.txt version.
[18:32:49] <kenh> jhutz: Back in Vienna, there was a significant push from certain people to get people working on pkinit, in response to that we had the interim WG meeting in Boulder, CO, to focus on some of these issues.
[18:33:23] <BrianTung> do people want me to recap the changes that went into pk-init-18.txt?
[18:33:37] <hartmans> I think Jeff is doing that now in brief detail
[18:33:50] <kenh> jhutz: Some issues were worked out on the mailing list, some issues worked out after Minneapolis meeting. After we work out few remaining issues, document should be ready for last call.
[18:34:24] <kenh> jhutz: Remaining open issues: SubjectAltName, what should it look like? Received comments from Brian, with proposed text.
[18:34:28] <BrianTung> would it make sense to run pk-init-19.txt by Russ before submitting it?
[18:34:49] <BrianTung> oh yes, in preparation for pk-init-19.txt, I did a little stroll down memory lane on the subjectaltname issue.
[18:34:59] <BrianTung> it turns out it's much older than I had remembered.
[18:35:14] <kenh> jhutz: Client Name Canonicalization - resolved recently on mailing list.
[18:35:54] <kenh> jhutz: Resolution - clients do need to include a client name in their PKINIT request.
[18:36:31] <kenh> jhutz: Name returned by KDC in ticket must match name requested by client.
[18:37:02] <kenh> jhutz: Love brought up issues about OCSP - will go back and forth on mailing list, and hopefully come up with better text.
[18:37:14] <raeburn> pkinit-18 goes into some kcrypto stuff that it probably shouldn't. I'll send email...
[18:37:42] <BrianTung> OK, I thought we had eliminated most of that.
[18:37:48] <kenh> jhutz: Preauth type numbers - have agreed to change preauth type numbers at the last minute, should not be an issue.
[18:38:12] <kenh> jhutz: Open discussionn?
[18:38:16] <Eric Rosenfeld> Before pkinit-19 is submitted, I'd like to offer assistance in editorial review on the draft. Doc Evans and I can help to ensure the text is solid for a last call. Is this appropriate?
[18:38:34] <BrianTung> I don't see a problem with that.
[18:38:50] <Doc Evans> Thank you, sir
[18:39:17] <Eric Rosenfeld> Great. What is the timeframe for completing pkinit-19?
[18:39:39] <BrianTung> I'm caught up, so as soon as I get suggestions for changes, they go straight in.
[18:39:53] <BrianTung> that means that it's gating on the open issues, but *only* on the open issues.
[18:40:12] <kenh> comment from brian relayed about talking to russ; jhutz will send him email.
[18:40:27] <kenh> second set of slides are now up, in same place, krb-agenda.pdf
[18:40:31] <BrianTung> thanks, ken.
[18:40:53] <jhutz> eric - sounds like a good idea to me
[18:41:27] <jhutz> if you want you can forward a copy to me as well, so I can do my usual WG chair nits thing
[18:41:37] <BrianTung> I will send e-mail to eric and doc with the current state of the draft.
[18:41:38] <Eric Rosenfeld> OK, then can we agree on a date for resolving open issues, and handing pkinit-19 to Doc and myself, and when we should resolve editorial issues by.
[18:41:40] <BrianTung> and to jeff, too.
[18:41:48] <kenh> jhutz: One more items on agenda; hartmans will talk about preauth.
[18:42:05] <kenh> hartmans: apologize for lack of slides.
[18:42:09] <BrianTung> do we need to settle dates now, or do it through e-mail also?
[18:42:27] <Eric Rosenfeld> email is fine, as long as we settle dates by end of week?
[18:42:28] <kenh> hartmans: last meeting we decided to do work on the preauth issues I raised. See draft (name unknown right now).
[18:42:40] --- rickravaya has left
[18:42:45] <jhutz> some of us are getting onto long flights tomorrow.
[18:43:01] <kenh> hartmans: Writing down the "oral tradition" in the Kerberos community about how preauth works.
[18:43:08] <Eric Rosenfeld> ok, then how about next week?
[18:43:09] <lha> draft-ietf-krb-wg-preauth-framework-00.txt
[18:44:05] <BrianTung> wednesday next week: deadline for settling dates for resolving open issues, submitting draft-19 to nitpick, and then completing nitpick?
[18:44:08] <kenh> hartmans: Introduced concept of "authentication session" that only exists on client, which has to keep state between requests and the encryption key (which may change).
[18:44:11] <jhutz> I think we should be able to resolve the subjectaltname issue by the end of next week, unless there are unexpected issues.
[18:44:24] <jhutz> I don't know how long it will take to resolve lha's OCSP language issue.
[18:44:33] <kenh> hartmans: Preauth must be designed so the KDC does not need to keep state.
[18:44:36] <Eric Rosenfeld> ok, great. Thanks, Brian.
[18:44:40] <jhutz> (maybe lha can comment on that?)
[18:45:00] <jhutz> I'd like to settle dates now, so we can try to stay on track
[18:45:01] <BrianTung> is lha in seoul?
[18:45:06] <jhutz> yes he is
[18:45:32] <kenh> hartmans: Draft also talks about preauth in the Kerberos extensibility model (how to determine the other side supports a particular preauth protocol).
[18:45:54] <BrianTung> all right: I propose, resolve open issues by March 15; submit pk-init-19.txt to jeff, doc, eric by March 22;
[18:46:02] <BrianTung> when do you want to get it back to me by for final revisions?
[18:46:21] <kenh> hartmans: Preauth draft also discusses the kind of state in a preauth request; this may be obvious to us, but is not written down anywhere.
[18:46:30] <jhutz> It should not take me more than a couple of days to do nits; it's partly automated. Eric? Doc?
[18:46:42] <kenh> hartmans: Had a meeting with Love, it turned out that we had fairly similar ideas.
[18:46:44] <Doc Evans> March 29
[18:46:53] <BrianTung> we also need love's input on how long ocsp will take to resolve.
[18:47:16] <BrianTung> fine by me.
[18:47:18] <jhutz> So, resolve issues by mar 15, doc ready for nits by 22, nits back by 29?
[18:47:27] <Eric Rosenfeld> sounds great.
[18:47:34] <raeburn> I'd also like to nitpick -19 for crypto stuff. (Email on its way to Brian shortly.)
[18:47:35] <BrianTung> pending love's input, ok by me.
[18:47:41] <jhutz> ... then it gets submitted to i-d repository by what date? mar31 if there are no major changes?
[18:47:51] <BrianTung> OK, ken. do you think it's going to be time-consuming, or mostly just excising?
[18:48:05] <BrianTung> (to jhutz) apr 2.
[18:48:07] <kenh> hartmans: Example: A KDC could support PKINIT or hw-preauth w/ SecurID. There is no way for the KDC to indicate combinations; we would like to declare this problem out of scope - solving this problem is very hard.
[18:48:20] <lha> [brian: I don't know, the text as is was proposed by Jaganathan was ok]
[18:48:37] <jhutz> OK; apr 2. And then I'll last call when it appears in the repository.
[18:48:38] <BrianTung> [to love] so it's your contention that I copied it poorly? that's fine.
[18:48:44] <kenh> hartmans: Another issue: authentication of request/replies, especially with multiple round-trip messages.
[18:48:55] <BrianTung> I was editing as I copied it in, so I probably messed stuff up.
[18:49:07] <raeburn> Mostly excising. Maybe moving a little text around.
[18:49:16] <lha> [brian: but it assumes that the assumptions that Jaganathan makes are ok]
[18:49:20] <kenh> hartmans; Need to discuss what is used as nonces.
[18:49:26] <BrianTung> [to ken r] OK, hope it's easy.
[18:49:28] <larry> hello, we are JK and Larry from Microsoft, we have some concerns over the cname requirement, but we will raise in the list
[18:49:47] <raeburn> Should be.
[18:49:55] <kenh> hartmans;: If things are easier if an issue is deferred until extensions is ready, I would rather do that.
[18:49:57] <jhutz> brian, do I need to ask Russ to take a look at this? Will -18 be sufficient for that purpose?
[18:50:04] <BrianTung> [to love] you have reason to think they might not be valid assumptions?
[18:50:22] <jhutz> If so, can you send me mail with the details, and I'll forward it on to him? I'd rather not have our schedule assume Russ is going to review a document in a week
[18:50:25] <kenh> hartmans: Things that can be made to work with clarifications, I would like to do them.
[18:50:26] <BrianTung> [to jeff] no, because the subjectaltname stuff is punted (or perhaps just done wrong) in pk-init-18.txt
[18:50:28] <lha> [brian: is static configration ok of responder id ok]
[18:50:37] <kenh> hartmans: New draft coming out now, please read it, comments/questions?
[18:50:50] <jhutz> larry/JK; if you stick around until the end of sam's presentation, we can bring it up at open mic
[18:50:58] <larry> sure
[18:51:19] <kenh> love: Would we want to use a new specifications of nonces in other preauth mechanisms, or just make them available for other preauth mechanisms?
[18:51:29] <jhutz> also is there anything you want to say about the referrals document?
[18:51:44] <BrianTung> [to love] I don't think I followed your last remark.
[18:51:48] <kenh> hartmans: I hope preauth document will be useful in clarifications universe, and not be broken in an extensions universe.
[18:52:03] <kenh> I might have transcribed his comment poorly.
[18:52:10] <jhutz> Is subjectaltname the only thing you want russ to review now?
[18:52:24] <larry> we would like to see more input from the wg on the referral draft
[18:52:51] <BrianTung> [to ken h] no, I was talking about his direct remark to me.
[18:53:12] <kenh> hartmans; I have received enough comments from people that want this work, so I would rather not defer it until extensions.
[18:53:17] <BrianTung> "is static configuration ok of responder id ok"
[18:53:18] <kenh> brian - okay, understood.
[18:53:39] <BrianTung> [to jeff] it's certainly the thing that is in the most flux, so yes.
[18:53:48] <lha> [brian: ocsp assume local static configuration of preauth responders on clients, if responders id change, how should the clients know ?]
[18:53:57] <hartmans> Larry looking at referals is fairly high on my priority list
[18:54:26] <kenh> jhutz: If there are no comments on Sam's presentation, would like to move into open mic portion.
[18:54:37] <kenh> jhutz: Anything else anyone wants to bring up?
[18:54:38] <jhutz> now is the time to bring up your comment, larry
[18:55:19] <larry> client configuration changes can be preformed via policy (for OCSP responder-ids)
[18:56:04] <jhutz> we're going to take cname offline, then
[18:56:04] <kenh> jhutz: OCSP discussion will be taken to list.
[18:56:06] <jhutz> any other comments?
[18:56:35] <BrianTung> larry, you do not want to raise your cname concerns here?
[18:56:41] <larry> sure
[18:56:56] <kenh> jhutz: looks like we're done, we will see you all in san diego
[18:57:07] <warlord> wow, that was quick!
[18:57:11] <BrianTung> that *was* quick.
[18:57:16] <kenh> yeah, you're not kidding.
[18:57:23] <larry> are you waiting for us?
[18:57:39] <larry> we would like to keep the cname as OPTIONAL
[18:57:43] <raeburn> Interesting that half the participants (or more?) were *only* participating remotely...
[18:57:47] <jaltman> any reason for an interim meeting?
[18:58:02] <kenh> jeff says that no, he's not waiting for you, larry.
[18:58:20] <jhutz> "keep"?
[18:58:43] <larry> what is "keep"?
[18:58:48] <BrianTung> [to jhutz and larry] the draft as it is in pk-init-18.txt is *unclear* and/or inconsistent.
[18:59:09] <BrianTung> one can infer it is optional, but nowhere in pk-init-18.txt does it explicitly state that one can omit the cname.
[18:59:12] --- jas has left
[18:59:13] <jhutz> the cname is OPTIONAL only from a syntactic standpoint.
[18:59:20] <jhutz> it is always present in AS-REQ, and never in KDC-REQ
[18:59:33] <Doc Evans> Excatly
[18:59:34] <BrianTung> and it does state that the as-req is otherwise unchanged.
[18:59:44] <larry> no, that is not necessarily true for PKINIT
[18:59:51] <larry> as shown in our PKINIT implemenation
[19:00:02] <Doc Evans> How do you come to that conclusion?
[19:00:18] <larry> how does the client know the cname?
[19:00:46] <Doc Evans> How do you conclude that any current text allows you to drop the cname?
[19:01:03] <larry> KDC-REQ-BODY ::= SEQUENCE { kdc-options [0] KDCOptions, cname [1] PrincipalName OPTIONAL -- Used only in AS-REQ --, realm [2] Realm
[19:01:14] <Doc Evans> Right...
[19:01:16] <Doc Evans> but...
[19:01:28] <larry> it does not say it is required
[19:01:39] <Doc Evans> the intent has always (I believe ) that that should be interprted to mean that it must be present in an AS-REQ
[19:01:40] <tlyu> this sort of ambiguity is one of the reasons i wanted to use quite a few additional ASN.1 constraints in extensions
[19:01:48] <Doc Evans> I do agree in principle, though
[19:01:52] <Doc Evans> But not in practice
[19:01:58] <jhutz> it is optional from a syntactic standpoint, because the same message is used for AS-REQ and TGS-REQ.
[19:02:02] <Doc Evans> Right
[19:02:12] <BrianTung> but the root issue is that you want it in because the client might not know the right cname to put in the request.
[19:02:15] <Doc Evans> Which was a mistake in RFC 1510 :-)
[19:02:15] <jhutz> It is actually the case that cname is always present for an AS-REQ, and always absent for a TGS-REQ
[19:02:27] <larry> brian is with us
[19:02:38] <BrianTung> [to larry] ???
[19:02:50] <BrianTung> you mean I understand your concern?
[19:02:51] <larry> w.r.t.
[19:02:52] <tlyu> are we going to have to invent another "magic" principal name?
[19:02:55] <jhutz> See the description of the AS exchange in 3.1, particularly the next-to-last paragraph on page 24 of clarifications-05
[19:02:58] <larry> yes
[19:03:10] <BrianTung> well, now, hold on.
[19:03:28] <larry> brian: yes
[19:04:28] <BrianTung> I'm not sure exactly how to answer that question, but the name canonicalization issue is a thorny one.
[19:04:57] <larry> correct, we are trying to give you some input w.r.t. cname canonicalizations
[19:05:32] <BrianTung> you know there have been a host of name canonicalization proposals that have been problematic.
[19:06:11] <raeburn> (a "host" of them? ow.)
[19:06:22] <BrianTung> well, ok, host is overstating it.
[19:06:34] --- tomphelan has joined
[19:06:46] <BrianTung> my concern is that the problem has been looked at previously and still lacks a definitive solution.
[19:08:05] --- tomphelan has left: Disconnected.
[19:08:19] <larry> we seems to be overtime, we can take this to the list
[19:08:31] <warlord> overtime?
[19:08:39] <warlord> there's another 1:15 left in this timeslot
[19:08:41] <larry> it is supposed to be 1 hour, right?
[19:08:51] <BrianTung> no, no, we have from 9:00 to 11:30, don't we?
[19:08:59] <BrianTung> that's 4:00 to 6:30 pst.
[19:09:04] <Doc Evans> I have to leave. Bye.
[19:09:06] <BrianTung> I have to split in about 15 minutes or so.
[19:09:08] <BrianTung> bye doc.
[19:09:20] --- Doc Evans has left
[19:10:23] <larry> short of requiring that every client certificate contain a cname the only other option is to do canonicalization
[19:10:31] <larry> either at the client or the KDC
[19:11:09] --- BCNeuman has left
[19:11:10] <BrianTung> or to do some kind of cname discovery.
[19:11:41] <BrianTung> obviously, if the cert doesn't contain the cname, the kdc will have to do some kind of transformation, if only to determine the name to check against the cname in the request (if any).
[19:11:52] <BrianTung> but I'm wary of prescribing exactly what that transformation should be.
[19:12:15] <larry> we dont want to prescribe anything either
[19:12:46] <BrianTung> then I'm unclear about what you're proposing to do.
[19:12:49] <larry> only that the cname remain optional so the mapping can be done at the KDC
[19:13:02] <BrianTung> is nico around anywhere?
[19:13:16] <kenh> I don't think he's here.
[19:13:17] <tlyu> i'm not sure that cname in an AS-REQ can really be considered optional, given wording in rfc1510, clarifications, etc.
[19:13:24] <raeburn> Unless you allow the presenter of certain certs to identify themselves as any of several principals. Then the KDC needs to *not* be doing a transformation, but an access check.
[19:13:32] <BrianTung> because nico raises the point that the cname in the reply is unsigned.
[19:13:41] <raeburn> E.g., cert for raeburn -> raeburn@ATHENA, raeburn/test@ATHENA, etc.
[19:13:57] <raeburn> Or is that already not permitted by the model?
[19:14:20] <raeburn> (Sorry, hadn't thought about it until the KDC-side transformation was mentioned, and haven't checked...)
[19:14:47] <BrianTung> you mean, make sure the proffered cname is authorized to that cert?
[19:15:05] <tlyu> nico's point is a good one... though you might be able to hack around it by including a signed cname in the reply in preauth somewhere
[19:15:06] <raeburn> Yeah, something like that.
[19:15:26] <BrianTung> that still requires the cname in the request, though, ken.
[19:15:27] <jaltman> personally I think clients certs should have a principal assigned to them as a subjectAltName. However, I believe that we agreed that we wanted the mapping of Certificate to principal to be performed at the KDC under an administrator determined policy.
[19:15:29] <tlyu> i'm not sure i like the idea of the KDC doing authorization checks, but that seems to be an inherent part of doing pkinit
[19:15:47] <BrianTung> tom, we have considered that previously. it might still happen.
[19:15:51] --- omarjan has joined
[19:16:16] <BrianTung> jeff, that's the first option; the kdc can always choose to take the subjectaltname in the cert.
[19:16:23] <tlyu> brian, which? the signed cname in preauth?
[19:16:33] <raeburn> Yes, it does. But it doesn't work with the model that the KDC can do a transformation to get the one cname permitted. Which may mean my idea is wrong, or may mean that that model for the KDC is wrong.
[19:16:35] <BrianTung> it's either choosing the name, or authorizing the name.
[19:16:46] --- omarjan has left: Disconnected
[19:16:47] <BrianTung> for the moment, we've decided that it should be authorizing the name.
[19:16:48] <jaltman> Clearly, if there is a subjectAltName in the cert, then the client should be using that as the "cname"
[19:17:03] <BrianTung> jeff, you think the order in the draft is inappropriate?
[19:17:10] <BrianTung> I'm open to that.
[19:17:21] <BrianTung> tom, yes.
[19:17:36] <Eric Rosenfeld> I have to go. I look forward to the meeting notes on this issue.
[19:17:46] --- ddp has joined
[19:17:47] <jaltman> Eric, wait please
[19:18:19] <Eric Rosenfeld> Yes?
[19:18:33] <jaltman> are you placing subjectAltNames in your certificates?
[19:18:43] <BrianTung> actually, I think subjectAltName, then local mapping makes better sense than the other way around...
[19:18:43] <jaltman> (for the client)
[19:19:08] <Eric Rosenfeld> Not for the client.
[19:19:18] <jaltman> Thank you. That is what I needed to know.
[19:19:27] <jaltman> Brian, yes, the ordering should be swapped.
[19:19:37] <BrianTung> I'll note that, thanks jeff.
[19:20:13] <Eric Rosenfeld> You're welcome. Catch you all on the reflector.
[19:20:17] <jaltman> If there is a subjectAltName in the client certificate specifying the client principalName then its contents should be used for the cname in the AS_REQ. And it should be used by the KDC as the principal name.
[19:20:25] --- Eric Rosenfeld has left
[19:20:35] <BrianTung> yes, we've all agreed the names must match.
[19:20:55] <BrianTung> that doesn't solve ms's problem, though.
[19:21:10] <tlyu> can you describe succinctly what the ms problem is?
[19:21:14] <DougEngert> Are you assuming that the certificates being used where issued with Kerberos in mind?
[19:21:19] <larry> our problem occurs when there is no subaltname
[19:21:28] <raeburn> Hm, on reflection, I suppose it makes sense to require a different cert for a different cname owned by the same person...
[19:21:32] <jaltman> We are still left with the question of what to do when there is no subjectAltName. There are two choices. Place a magic name which will be replaced by the KDC. Or require the client to perform a Certificate to Principal Name mapping before preforming the AS_REQ.
[19:21:34] <DougEngert> The Subject Altname may have been set for some other use.
[19:21:35] <BrianTung> they want to allow the kdc to determine the mapping (not verify it) in cases where the client cannot reasonably be expected to know it in advance, I guess.
[19:22:15] <BrianTung> there can be more than one subjectaltname, can't there?
[19:22:27] <jaltman> The subjectAltName will not be a kerberosPrincipal if it were not set for use by Kerberos.
[19:22:33] <BrianTung> we just want to make sure there is only one kerberos principal name encoded as such in a subjectaltname.
[19:23:01] <BrianTung> larry, is that basically right?
[19:23:32] <larry> let me try to succintly outline our requirements
[19:24:03] <DougEngert> A user could use one cert with unrelated realms, so the subjectAltName may not match either.
[19:24:17] <larry> we cannot depend on subaltname being present in the cert
[19:24:50] --- kenh has left
[19:24:53] <jaltman> I believe that MS wants to be able to use a certificate issued for a purpose other than Kerberos to be used for a Kerberos exchange. In this case, they are keeping a database of the certs which is accessible to the KDC. The KDC receives a certificate and either looks up a hash of the cert or something else in the database and gets back a principal name.
[19:25:09] <larry> and even if it did we cannot always require that it should be the name to be used
[19:25:14] <larry> that is sort of the case
[19:25:30] <DougEngert> A agree with Larry.
[19:26:19] <tlyu> larry, are you allowing for a situation where the client is unaware of the mapping the KDC uses?
[19:26:30] <BrianTung> I think that is exactly the problem.
[19:26:36] <larry> exactly.. that is the case we want to allow
[19:26:49] <BrianTung> what if the client_name_mismatch error carried a hint with the right name to use?
[19:26:55] <larry> because maintaining that mapping at the client will be very expensive
[19:27:12] <BrianTung> currently there is no e-data with the client_name_mismatch error.
[19:27:57] <jaltman> In this situation, we have to accept that client principal name canonicalization is going to take place. To stay within the spec a dummy name must be placed in the cname field. An error will occur and following Brian's train of thought the KDC must tell the client what name should be used.
[19:28:47] <tlyu> of course the KDC will have to return a preauth-required error, since padata in e-data aren't specified for anything else. yuck.
[19:28:47] <larry> this will mean that all our clients will need two round trips for each logon
[19:29:11] <jaltman> An alternative mechanism for MS is to have the host perform a protocol operation to map the Cert to the Client Principal which is secured by the Host principals.
[19:29:14] <larry> why not just let the KDC issue the TGT?
[19:29:23] <hartmans> Requiring the extra round trip doesn't buy you anything. This is a security issue and the error won't be secured either
[19:29:49] <BrianTung> tom, I don't think I quite follow.
[19:29:53] <hartmans> I think what needs to happen here is that I need to read referals.
[19:30:18] <hartmans> I'll either come to the conclusion we have a global security problem both with pkinit or we have no security problem at all.
[19:30:30] <hartmans> both with pkinit and referals that is.
[19:30:34] <tlyu> e-data aren't specified except for a small number of errors
[19:30:42] <BrianTung> ok, I was just going to ask where the "both" was binding.
[19:30:46] --- rlbob has left
[19:30:57] <BrianTung> we specify a bunch for pkinit. is that bad?
[19:31:14] <hartmans> Yeah. Tom has a point; there's not really a way to add a hint to an error in standards-track clarifications.
[19:31:16] <tlyu> are they for existing errors or for new errors?
[19:31:24] <BrianTung> sam, you've raised this previously, haven't you? the issue that the reply isn't signed?
[19:31:36] <BrianTung> for new errors, tom. client_name_mismatch is a new error.
[19:31:52] <hartmans> N I raised the general issue. We weren't sure that was bad.
[19:31:54] <BrianTung> isn't it? I thought we defined it for pkinit?
[19:31:58] <BrianTung> or did I misremember?
[19:31:59] --- ddp has left: Disconnected
[19:32:06] <hartmans> This is a specific issue of something in the reply not being signed; we're not sure it is bad;)
[19:32:18] <BrianTung> N I?
[19:33:00] <hartmans> O, if it is a new error, you could add the hint. But as Larry points out it adds a round trip and doesn't buy you anything from a security standpoint
[19:33:37] <BrianTung> I'll check to see if it's a new error.
[19:33:39] <hartmans> But I'm certain this is not a pkinit issue; this is just client name canonicalization
[19:33:42] <BrianTung> but your point is taken.
[19:34:02] <hartmans> Well, and what to stick in the cname field
[19:34:21] <jaltman> .the initial cname field is going to have to hold a dummy name
[19:34:28] <DougEngert> How about "whoami"
[19:34:47] <BrianTung> heh heh. the exact contents of the dummy name aren't important, I don't think...
[19:34:49] <raeburn> cname of "who-the-heck-am-i", which canonicalizes to any of ten thousand names depending on additional data in preauth..
[19:34:51] <jaltman> jane.doe
[19:34:57] <hartmans> How about the same dummy name we decided on as an extensions probe.
[19:35:10] <tlyu> i am having trouble finding the dummy name we decided on
[19:35:23] <hartmans> Check the boulder minutes.
[19:35:35] <BrianTung> so then what. the as-req gets sent with some dummy name (TBD), then the KDC performs its mapping and determines the real principal name to use.
[19:35:46] <jaltman> pretty much
[19:35:49] <BrianTung> nico asks how the client can trust the name in the reply?
[19:36:02] <jaltman> the reality is that it can't
[19:36:46] <jaltman> which is why the certificate should have a subjectAltName containing a kerberosPrincipal
[19:36:48] <hartmans> Right. And I know I'm not going to be convinced about security or insecurity in a real-time discussion. Which doesn't mean don't have the discussion if it will help others, but I'll consider this issue open until I read and think about extensions.
[19:36:49] <BrianTung> it can't, signed or unsigned, isn't that so? as long as the kdc determines the mapping, it doesn't really matter whether any part of the reply is signed, the client has to take the kdc's word for it.
[19:37:20] <hartmans> Taking the KDC's word might be better than Malary's.
[19:37:35] <BrianTung> malary?
[19:37:45] <hartmans> Person in the middle
[19:37:51] <jhutz> random evil attacker who sends you an unsigned response
[19:37:51] <BrianTung> ahh, right.
[19:38:00] <warlord> malary is an active attacker
[19:38:11] <jaltman> Malary is my middle name (jk)
[19:38:16] <warlord> Heh
[19:38:17] <BrianTung> we used a different name, I don't remember which...
[19:38:22] <warlord> Eve?
[19:38:34] <BrianTung> yes, eve, but I don't remember if eve was mitm.
[19:38:37] <warlord> (passive attacker)
[19:38:41] <tlyu> eve is typically passive
[19:38:47] <tlyu> mallory or mallet are active attackers
[19:38:48] <warlord> eve -> evesdropper
[19:38:57] <BrianTung> ANYWAY...
[19:39:19] <BrianTung> I'll see how much work it would be to sign the name in the reply.
[19:39:25] <jhutz> anyway, the key point is whether it matters that the cname in the reply is unsigned and therefore cannot be
[19:39:28] <jhutz> trusted by the client.
[19:39:46] <BrianTung> I really have to go.
[19:40:00] <jhutz> Let's take this to the mailing list.
[19:40:08] <BrianTung> I should have become a pumpkin about 15 minutes ago.
[19:40:19] <tlyu> i can't find the "magic" principal name in the boulder minutes
[19:40:33] <tlyu> can someone please extract it and send to the mailing list?
[19:40:37] <jaltman> are the jabber ietf rooms available during the off season?
[19:40:44] <BrianTung> yes, this is useful.
[19:40:57] <BrianTung> (I mean yes, I agree with your question, I don't know if they're available.)
[19:41:05] <raeburn> I believe they are.
[19:41:23] <raeburn> Brian: My crypto notes are on their way to you.
[19:41:27] <jhutz> Note that in extensions, the as-rep will be signed, including the cname
[19:41:30] <BrianTung> ok, I'll take a look at them tomorrow, probably.
[19:41:46] <BrianTung> buh bye.
[19:41:50] <jhutz> yes, they are always available
[19:42:08] --- BrianTung has left
[19:42:14] <jaltman> cool, then there is only a security hole for clarifications. maybe this is a reason for MS to implement extensions
[19:42:20] <hartmans> Thanks for your time
[19:43:05] <tlyu> i also need to leave soon
[19:44:27] <jhutz> I think folks need to review the referrals draft, and decide whether it's a problem at all.
[19:45:43] <larry> the client name is going to protected in the referral info
[19:46:09] <larry> the existing MS implementation does not use the unsigned field
[19:46:09] <jhutz> "referral info"?
[19:46:17] <larry> but use the ones in the PAC
[19:46:43] <larry> I think I mixed it up, the referral-info contains the server infomation
[19:46:47] <larry> not the client
[19:47:00] <jhutz> In extensions, the cname in the reply will be signed. So as part of doing referrals, we can make the cname in the AS-REQ explicitly optional in that protocol.
[19:47:02] <larry> this is not a concern for us because of the PAC
[19:47:15] <larry> but we should address it in the referral draft
[19:47:18] <jhutz> But the PAC is a MS extension and not part of the base kerberos protocol
[19:47:36] --- tlyu has left
[19:47:39] <larry> that is correct, we should address this in our next version
[19:48:10] <jaltman> I am fairly sure it is a problem for CableLabs
[19:48:52] <jhutz> Which means that any extensions client could send a request with no name, and let the KDC choose a name based on preauth (pkinit or otherwise) or whatever.
[19:49:06] <jhutz> But a clarifications client, even using pkinit, would have to include a cname because clarifications requires that.
[19:49:26] <jaltman> right
[19:49:31] <larry> I still did not find the exact text why clarifications require cname
[19:49:53] <jhutz> Now. _iF_ it turns out we decide not having the cname in the reply be signed is not a problem, then we can allow "no cname" with pkinit in clarifications, by using a dummy name. But net's not worry about whether/what dummy name we need until we decide it is safe.
[19:50:08] <jhutz> I referred to it...
[19:50:18] <larry> not convinced
[19:50:23] <jhutz> "In the request, the client sends (in cleartext) its own identity...."
[19:51:07] <jaltman> Clarifications - 05 Page 24 second to last paragraph coupled with the behavior of existing implementations not including MS and the fact that without a signed object to return the client principal name it there is a security hole.
[19:52:02] <jhutz> If you think clarifications is not sufficiently clear on this, there is still time to fix it. But it's pretty clear to me that that was the intent.
[19:52:42] <jaltman> the text does not say "the client may send its principal name in the cname field", its says "it will ...."
[19:52:57] <jaltman> to me that is a "MUST"
[19:53:11] <jhutz> We can change it to say "the client MUST send" instead of "the client sends"
[19:53:29] <jaltman> I agree we should submit that change after vetting it on the list.
[19:53:39] <larry> In the request, the client sends (in cleartext) its own identity and the identity of the server for which it is requesting credentials, other information about the credentials it is requesting
[19:53:55] <jhutz> Yes; that's the text we're reading
[19:54:01] <larry> the client can send it identity via pre-auth
[19:54:13] <larry> not necessary via cname, right?
[19:54:15] <jaltman> Larry, are there other circumstances other than PKINIT in which the MS implementation does not specifiy a cname?
[19:54:18] <jhutz> That's not the intent of that text, no
[19:54:32] <larry> in fact, existing MS implementation always sends cname
[19:54:37] <larry> even for PKINIT
[19:54:43] <jaltman> Even if the identity is sent via-preauth, it must still include a copy of its principal name in the cname field
[19:54:45] <larry> but we are adding new features
[19:55:00] <larry> having cname required is going to be problematic
[19:55:18] <jhutz> nonetheless, it has always been required
[19:55:31] <jhutz> we can make it optional in extensions, pretty easily.
[19:56:19] <jhutz> it's still unclear to me whether the intent of the WG is that it be possible to do referrals against clarifications. I didn't think so, but now I'm hearing otherwise.
[19:57:11] <jaltman> the answer was "no" but there was an "exception for pkinit" made in Boulder.
[19:57:27] <hartmans> As the person who caused Jeff to hear otherwise, my understanding is that nothing in the current referals document is extensions-specific.
[19:57:46] <jhutz> _If_ that is the intent, and _if_ the WG determines that there is no security problem with allowing cname canonicalization with the cname not signed in the reply (in the general case, not just if you happen to also use a non-IETF extension), _then_ we can make the cname "optional" in referrals by using a dummy name. But it will offend my sense of aesthetics
[19:57:48] <larry> that is my understanding too
[19:58:24] <larry> we can secure the cname via the referral info
[19:58:42] <larry> we can add this to the PA_DATA in kdc reply, right?
[19:59:10] <hartmans> I'm not willing to agree to anything; The issue is too complex. But yes it sounds like you are correct
[19:59:15] <jaltman> I should also clarify the "exception" by stating that there would be a commitment by those implementing PKINIT to deploy Extensions as soon as possible in order to deal with internationalization and referals issues.
[19:59:30] <hartmans> But really we're ratholed fairly significantly. Let's determine if we have a problem on pkinit before solving it.
[20:01:26] <hartmans> *craves lunch*
[20:02:33] <warlord> mmm. lunch... after marid.
[20:03:30] <DougEngert> Bye
[20:03:41] --- alexeymelnikov has left
[20:03:51] --- DougEngert has left
[20:04:45] --- hartmans has left: Disconnected
[20:04:51] <warlord> later.
[20:04:52] --- warlord has left
[20:05:54] --- hartmans has joined
[20:14:47] --- raeburn has left
[20:21:37] --- hartmans has left
[20:23:23] --- lha has left
[20:25:56] --- jaltman has left
[20:42:03] --- jhutz has left
[21:43:34] --- larry has left
[22:40:54] --- hartmans has joined
[23:39:33] --- hartmans has left