[00:08:01] --- wyllys has joined
[00:11:07] --- wyllys has left
[00:16:30] --- wyllys has joined
[00:16:36] --- wyllys has left
[11:06:26] --- wyllys has joined
[11:06:29] --- wyllys has left
[11:12:47] --- wyllys has joined
[12:49:59] --- wyllys has left
[13:10:31] --- jas has joined
[14:14:51] --- hartmans has joined
[14:18:49] --- kenh has joined
[14:33:57] --- jaltman has joined
[14:38:12] --- warlord has joined
[14:38:27] --- tlyu has joined
[14:39:38] --- DougEngert has joined
[14:40:41] --- leifj has joined
[14:41:38] --- leifj has left
[14:42:07] --- leifj has joined
[14:43:01] --- raeburn has joined
[14:43:05] --- lha has joined
[14:45:18] --- jhutz has joined
[14:49:00] --- krb-wg has joined
[14:49:04] <kenh> Doug Engert is opening the meeting.
[14:49:06] --- pbh has joined
[14:49:15] <hartmans> Pre-meeting discussion suggests that we may be able to require DER for CMS, but their may be problems with certs.
[14:49:22] <kenh> Passing of blue sheets, etc.
[14:49:53] <hartmans> Especially when directories are involved; they tend to produce BER encodings of certs.
[14:49:59] <kenh> (Any notes other than the jabber scribe are welcome)
[14:50:52] <krb-wg> so signature verification involves decoding and re-encoding; collective groan followed
[14:50:54] <jhutz> http://grand.central.org/dl/ietf-krb-wg/
[14:51:01] <lha> encryptedContent when doing encryptedData is a problem
[14:51:05] --- masahiro has joined
[14:52:05] <jaltman> welcome to the 59th IETF
[14:52:21] <lha> some implementation does BER encoding of the OCTET STRING for streaming reasons, and then part of the data is BER and part DER
[14:52:27] <kenh> Agenda bashing ... very quickly.
[14:52:51] <kenh> (Note: bulk of time will be spent on pkinit)
[14:53:00] --- wyllys has joined
[14:53:56] <kenh> note: jhutz has a crappy laptop and it doesn't display the agenda properly.
[14:54:33] <jaltman> according to Russ, some X.500 directories accept a certificate in DER and re-encode it in BER and then send the BER encoded version when a certificate is requested from the directory. The recipient must decode the BER and re-encode as DER before verifying the signatures. Implementations which do not support both BER and DER will be *surprised*.
[14:55:08] <kenh> First topic: Document status
[14:55:23] <kenh> Crypto Framework: RFC Editor Queue
[14:55:24] <lha> pwd
[14:55:41] <krb-wg> am I showing up here?
[14:55:46] <kenh> Yes.
[14:55:50] <jaltman> who are you?
[14:55:54] <krb-wg> as nico-sun?
[14:56:00] <leifj> as krb-wg
[14:56:02] <raeburn> no, as krb-wg
[14:56:02] <hartmans> Loe, do you object to the PRF change? I assume you have actually implemented.
[14:56:12] <krb-wg> why? how to fix?
[14:56:25] --- krb-wg is now known as nico-sun
[14:56:34] <nico-sun> ok, got it
[14:56:41] <nico-sun> (sigh)
[14:56:52] <lha> hartmans: PRF change is just fine, implemented but not deployed so it doesn't matter
[14:56:58] <leifj> sam speaks to prf
[14:57:55] <kenh> Sam Hartmans: We try to avoid using keys directly, and instead we want to derive keys for each use. We didn't do this for PRF. We want to change this. Basically, instead of using the protocol key directly, you call DK() on the key with a fixed constant (which we need to decide on). One line document change.\
[14:58:47] <kenh> Number of votes for this change, nobody opposed.
[14:59:06] <kenh> Next Topic: GSSAPI-CFX: RFC Editor Queue
[14:59:58] <kenh> Steve Bellovin said he was unsure with Sam's assertion that no registries are needed, still outstanding.
[15:00:09] <kenh> Next topic: AES
[15:00:26] <kenh> Still in IESG queue.
[15:01:01] <kenh> Ken raeburn: Comments from last-call process: some of the recommendations were vague (e.g., key salting recommendations)
[15:01:15] <kenh> Russs Housley: AD's haven't decided on it yet.
[15:02:48] <kenh> Next topic: Clarifications
[15:03:06] <leifj> pepole are playing around with the projector here....
[15:03:43] <kenh> Status: One more revision to go.
[15:04:34] <kenh> Issue from Steve Bellovin regarding link-local addresses; discussed with ADs in the Internet area, believe it is resolved.
[15:05:33] <kenh> Cliff Neuman will put out a set of changes.
[15:06:06] <kenh> Another issue on mailing list: Requests from Nico Williams & Wyllys Ingersoll to add AES-128 enctype to clarifications.
[15:06:20] <nico-sun> as recommended
[15:06:33] --- amelnikov has joined
[15:06:36] <nico-sun> (SHOULD)
[15:06:45] <kenh> If there are no objections, they will be added for next revision.
[15:07:05] <kenh> Next topic: WG Priorities
[15:07:35] <kenh> Going through WG milestones and seeing if they still apply.
[15:08:47] <kenh> (First milestone should be "Clarifications", not extensions).
[15:09:11] --- wyllys has left
[15:09:18] <kenh> First draft of pre-auth framework issued, should be complete in Jan 05.
[15:09:47] <kenh> First draft of extensions: Document should be complete by Washington.
[15:10:40] <kenh> Need to adjust time for PKINIT milestone.
[15:11:16] <kenh> Adjust extensions document submission to IESG to April 05
[15:12:03] <kenh> Holding off on set/change password milestone date for now.
[15:12:29] <nico-sun> we'll talk about the date after my presentation on set-passwd v2
[15:13:27] <kenh> Suggestion for pre-auth framework milestone for Jan 05; still undecided.
[15:13:39] <kenh> Sugggestion to drop milestone for PKCROSS because it's too far out.
[15:14:20] <kenh> Russ points out that if a document is listed in the charters, it neeeds to be on the milestones.
[15:15:22] <kenh> There doesn't seem to be a charter listed on the web page for krb-wg; will have to defer discussion on PKCROSS.
[15:15:37] --- wyllys has joined
[15:15:50] <kenh> Final item: Milestone review. We're ahead on this one.
[15:16:05] <kenh> Next Topic: PKINIT, Brian Tung speaking.
[15:16:31] <kenh> Major issues (culled by Jhutz from the mailing list)
[15:17:08] <kenh> OCSP and optional revocation info: Should we merge spec into PKINIT or submit as separate draft?
[15:17:28] <kenh> Brian: Thought Nico and Larry were in agreement.
[15:18:13] <kenh> Nico: Only objection right now is where OCSP
[15:18:18] --- amelnikov has left: Replaced by new connection
[15:18:19] --- amelnikov has joined
[15:18:19] --- amelnikov has left
[15:18:23] <kenh> ... where OCSP info goes.
[15:19:12] <nico-sun> separate PA, separate I-D
[15:19:23] <nico-sun> the end
[15:19:34] <kenh> DH Key derivation
[15:20:42] <kenh> Sam: What we're trying to do is that several parties want to be able cache a DH key for several hours and use it again in static-static mode.
[15:21:03] <kenh> Sam: Main issue is how we do key derivation and how we use nonces.
[15:23:10] <kenh> New proposal: Add nonces both directions, DH-specific nonces, longer than clarifications nonces, You will have to omit the nonces in the signed data using this mode. You then take a bunch of stuff and in the packet and feed it into PRF.
[15:23:55] <kenh> This requires a wire format change; I believe we should defer the discussion until we see if we have other wire format changes.
[15:24:04] <lha> I don't see any real problem with changing the wire format, the server is aware of old/new client via PA number
[15:24:05] --- jaltman has left: Replaced by new connection
[15:24:05] --- jaltman has joined
[15:24:05] --- jaltman has left
[15:24:16] <kenh> Consensus of room is that we should do it.
[15:25:33] --- amelnikov has joined
[15:25:38] <kenh> (The whole issue of wire format changes will be deferred to the list)
[15:26:31] <kenh> (the question of MAY versus SHOULD will also be deferred to the list)
[15:26:45] <kenh> Next subtopic: DER versus BER.
[15:27:54] <nico-sun> DAP does the evil thing
[15:28:18] <nico-sun> the evil thing being: decode, re-encode using different rules, which breaks the sig
[15:28:41] <nico-sun> but that's ok cause the peer decodes, re-encodes and verifies the signature
[15:28:50] <lha> encryptedContent when doing encryptedData is a problem, some implementations will encode the encryptedData in BER so they can stream data into the object regardless if it knows the length of the inline data or not
[15:29:03] <kenh> Russ: When a CA makes a certificate, it encodes it in DER. When the cert is placed in a X.500 directory, the protocol that you talk to the X.500 directory (DAP) doesn't use an octet-string for the cert, but the ASN.1 structure of the cert.
[15:29:15] <nico-sun> evil indeed
[15:29:35] <kenh> Russ: And the directory will encode the cert in BER, so clients need to be able to decode and reencode it in DER.
[15:30:03] <lha> example: http://people.su.se/~lha/patches/heimdal/pkinit-needs-octet-string-wrapping.txt
[15:31:31] <tlyu> lha, is there a hexdump of that encoding?
[15:31:47] --- jaltman has joined
[15:32:00] <kenh> jhutz: We'd like to specify one encoding, and we'd like it to be DER.
[15:32:28] <lha> tlyu: replace txt with raw and you the the binary blob
[15:32:34] <kenh> sam: I'd like to object to picking DER. It seems like we're doing this for one vendor which didn't support indefinite-length encodings.
[15:34:46] <kenh> tlyu: My experience is that going from a hand-coded DER encoder/decoder to a general-purpose BER encoder is hard.
[15:35:12] <lha> I don't mind picking DER, but I think its wrong and we couldn't do it (I voiced this concern in ietf-58, so its not like you had warning)
[15:35:43] <nico-sun> lha: I just offered a straw man: specify BER for the PKINIT types
[15:35:45] <nico-sun> :)
[15:36:24] <kenh> jhutz: I'll channel some stuff from CableLabs: They believe that permitting BER is a significant change in the spec, and they will choose to be non-compliant in this respect. They won't like it, but that's what they will choose to do.
[15:37:55] <kenh> sam: The assumption is that we would like to make life easier for one vendor by specifying DER. But we're also making life easier for another vendor by spec'ing BER.
[15:38:33] <kenh> sam: When picking a vendor to make life easier, we should pick a vendor who is operating on the open internet, and not one in a walled garden.
[15:39:17] <lha> Its a CMS type, we can't choose, its BER. so the question is if we should allow BER in kerberos spec or wrap it with OCTET STRING
[15:39:26] <nico-sun> does Heimdal use its own CMS implementation?
[15:39:33] <nico-sun> or does it use OpenSSL
[15:40:11] <nico-sun> Leif says it uses its own
[15:40:57] <lha> heimdal have code that three versions of it, valicert, openssl, heimdal. the first two requires me to use something of the equvalent of ANY
[15:41:33] <nico-sun> IOS
[15:41:44] <nico-sun> Information Object System
[15:41:47] <nico-sun> :)
[15:42:03] <kenh> jhutz: Channeling cablelabs again: Wrapping CMS in octet string isn't harder, but it will be a protocol format.
[15:42:32] <lha> heimdal's asn1 parser/generator only support enough BER to work with DCE
[15:42:56] --- N7DR has joined
[15:43:51] <kenh> jhutz: Wrapping helps some vendors seperate from the encoding issue.
[15:45:40] <kenh> jhutz: Note that wrapping is not intended to solve the DER versus BER issue; it's to solve the issue of "I want to use a CMS library to parse certificates" issue.
[15:46:32] <kenh> jhutz: Does using IMPLICIT OCTET STRING avoid a change to the on-the-wire protocol?
[15:46:43] <kenh> tlyu: No, it does not avoid a change.
[15:47:12] <kenh> tlyu: it's a one-bit change to the on-wire protocol.
[15:49:03] --- Kurt has joined
[15:49:42] <kenh> Consensus of the room is that we want to wrap it with OCTET-STRING. Are there objections on jabber?
[15:50:01] <nico-sun> IMPLICIT OCTET STRING
[15:50:19] <kenh> hey, nico, you're welcome to take over scribe if you want :-)
[15:50:47] <warlord> was it Implicit or Explicit? I thought Explicit
[15:51:13] <raeburn> explicit has bigger on-wire change; implicit is the one-bit change.
[15:51:52] <N7DR> Not much in it really; they are both changes, but noth are small changes, aren't they?
[15:52:08] <N7DR> FWIW, I gneerally prefer EXPLICIT wherever possible
[15:52:26] <nico-sun> warlord: implicit
[15:52:47] <warlord> ok, that seemed unclear
[15:52:53] <warlord> (to me)
[15:53:21] <kenh> jhutz is being especially grumpy right now.
[15:53:27] <nico-sun> does the room agree with me?
[15:53:34] <N7DR> I owuld like ot echo the earlier comment about the difficulty of converting from a hand DER encoder/decoder to a general BER one; it's a rather difficult change
[15:53:39] --- pbh has left: Replaced by new connection
[15:53:39] --- pbh has joined
[15:53:39] --- pbh has left
[15:53:52] --- pbh has joined
[15:54:35] <N7DR> My experience with people who are new to ASN.1 encoded messages are much more likely to get EXPLICIT right than they are to get IMPLICIT right
[15:54:37] <lha> MS uses IMPLICIT OCTET STRING to wrap all CMS types
[15:54:58] <hartmans> Yeah, this is tough. We're basically chosing between simplicity and supporting all off the shelf CMS encoders
[15:55:37] <hartmans> Well, if you prefer explicit tags bring that up on the list.
[15:55:46] <hartmans> I think the rest of us don't care so much
[15:56:49] <N7DR> I really don't care; rmemeber though that I have been through the experience of watching a new industry suddenly having to implement ASN.1 messages, and most of them get IMPLICIT stuff wrong at first. So that's where I'm coming from.
[15:57:42] <nico-sun> we're moving to unauth plaintext issues
[15:57:49] <kenh> jhutz: There is no clear consensus on whether we should permit PKINIT implementations to reject BER-encoded certs; taken to list.
[15:58:06] <nico-sun> sam is not confident that there is no unauth plaintext issue
[15:58:23] <nico-sun> kenh: maybe we should scribe different participants :_
[15:58:26] <nico-sun> :)
[15:58:41] --- larry has joined
[15:58:52] <kenh> sam: unsure if there are security issues with unsigned parts of the protocol.
[15:59:03] <kenh> (nico, you can take sam for the rest)
[15:59:13] <lha> I don't understand why there are unsigned parts of the messages at all ?
[15:59:13] <nico-sun> Now on to nonces
[15:59:29] <nico-sun> lha: want us to mention this?
[15:59:34] <lha> why isn't all data inside the AuthPack ?
[15:59:45] <kenh> jaltman offered to review the document for security issues.
[16:00:02] <nico-sun> lha: we're not going to resolve that ehre
[16:00:05] <hartmans> Because pkinit sucks?
[16:00:09] <kenh> jhutz: You should ask that on the list.
[16:00:12] <N7DR> FYI, Eric is going to try to join in a few minutes. We are both in a different meeting here :-)
[16:00:15] <nico-sun> someone will be tasked with looking at that and reporting to the list
[16:00:17] <hartmans> And because you explicitly want it for static-static dh
[16:00:44] --- Eric Rosenfeld has joined
[16:01:29] <lha> hartmans: because pkinit needs to be rewritten from scratch now that we know what's broken ?
[16:01:40] <N7DR> I need a beer :-)
[16:02:02] <leifj> (B)
[16:02:15] <kenh> tlyu: FYI: nonce is not a named type in clarifications, but it is constrained.
[16:02:19] <nico-sun> PKINIT nonces: same as clarif? or some octet string of, say, fixed size?
[16:02:32] <kenh> correction: microseconds is constrained.
[16:02:38] <hartmans> I've always supported a rewrite of pkinit from scratch; I realize it is not politically possible
[16:03:23] <kenh> jhutz: We could have Extensions patch PKINIT, but I'm not sure we want to.
[16:03:48] --- leifj has left
[16:03:51] <lha> now, why do pkinit have nonce ? it have a checksum of the request nonce...
[16:03:55] <nico-sun> moving this to the list
[16:03:58] --- leifj has joined
[16:04:03] <nico-sun> static-static dh
[16:04:35] <nico-sun> love's reply enc key issue to the list
[16:04:58] <nico-sun> now onto DH groups issue
[16:05:09] <kenh> jhutz: Russ, will the IESG approve a document where we recommend the use of DH using Oakley groups 1 & 2 only?
[16:05:15] <kenh> Russ: maybe.
[16:05:35] <kenh> jhutz: Based on recent experience with ssh, I would say no.
[16:06:12] <N7DR> But can't we jusyt say "one of the groupos from RFC xxx and yyy"?
[16:06:17] <nico-sun> PKINIT already has group negotiation?
[16:06:22] <nico-sun> jhustz says so
[16:06:32] <lha> encKey was dropped from the spec
[16:06:43] <hartmans> Yes it has negotiation; I think this may be less of an issue that jhutz claims
[16:06:43] <kenh> Doc: The issue is that we now say RFC 2409, and should we change to RFC 3526.
[16:06:52] <nico-sun> do: must have one MUST
[16:06:52] <N7DR> Can;t we include both, though
[16:07:00] <nico-sun> we can have more than one MUS
[16:07:20] <nico-sun> MUST
[16:07:23] <N7DR> Obviously, our implementations all require 2409
[16:07:30] <nico-sun> russ: must have at least one MUST DH group
[16:07:40] <nico-sun> currently groups 1&2 are SHOULDs
[16:08:00] <N7DR> so is what russ just said true?
[16:08:07] <N7DR> Do we have to have a MUST?
[16:08:16] <kenh> doc: Yes.
[16:08:16] <N7DR> What's wrong with SHOULD?
[16:08:21] <nico-sun> MUST group 2 and negotiate others is ok
[16:08:26] <tlyu> doc, it's an interop issue, i think
[16:08:27] <kenh> You need one MUST for interoperability.
[16:08:29] <nico-sun> no need to MUST group 14
[16:08:32] <nico-sun> says russ
[16:08:37] <N7DR> How do you negotiate?
[16:08:41] <nico-sun> dunno
[16:08:58] <N7DR> I think the only way is with a KEY_TOO_WEAK or some such hack
[16:08:59] <kenh> jhutz: Should the client include the root CA cert be in the chain?
[16:09:02] <nico-sun> I haven't payed attention to that part of the I-D
[16:09:15] <kenh> russ: if you include the root CA cert in the chain, _I_ will send it back :-)
[16:09:21] <N7DR> So I don't think that there's a real way to negotiate
[16:09:23] <lha> its sends back and error code and with use this group in a PA
[16:09:56] <lha> s/its/the kdc/
[16:10:13] <N7DR> If there was a way to negotiate, I think we would have used it
[16:10:19] --- amelnikov has left: Replaced by new connection
[16:10:19] --- amelnikov has joined
[16:10:19] --- amelnikov has left
[16:10:20] <nico-sun> doc: you mean that we don't know if KEY_TO_WEAK means cert too week or DH group too weak?
[16:10:27] <N7DR> But if you're sure, then I won't argue
[16:10:29] <nico-sun> do we need a new error?
[16:10:32] --- amelnikov has joined
[16:10:33] <nico-sun> we're not sure
[16:10:35] <nico-sun> !
[16:10:50] <kenh> nico: Are you covering sam?
[16:10:57] <nico-sun> ok, hartmans talking about pre-auth
[16:10:58] <nico-sun> yes
[16:11:00] <lha> its not a new error, its covered by the spec
[16:11:09] <N7DR> KEY_TOO_WEAK menas you have to strengthen the value, but maybe it's really too strong and you want to negotiate downward
[16:11:14] <nico-sun> security analysis of ashing pre-auths together is hard
[16:11:29] <nico-sun> hartmans
[16:11:51] <nico-sun> hartmans: there will be a pre-auth combination pre-auth type
[16:11:57] <nico-sun> or something
[16:11:58] <N7DR> Can't we say MUST support group 2 and SHOULD support a and all the ones i nthe later RFC?
[16:12:09] <nico-sun> hartmans: where to keep state is an issue
[16:12:12] <kenh> doc: That was a recommendation.
[16:12:13] <N7DR> I wish that I could type
[16:12:28] <N7DR> OK; I would agree to that recommendation
[16:12:28] <kenh> doc: heh
[16:12:45] <nico-sun> sam: think I have a solution that will send to list
[16:13:10] <Eric Rosenfeld> send to list when?
[16:13:39] <nico-sun> sam: negotiation, ordering
[16:14:22] <N7DR> I don't like the idea of negotiation if it's going to require more than a single exchange
[16:14:30] <nico-sun> sam: could negotiate ordered pre-auth method from set of such
[16:14:50] <nico-sun> doc: I'lll say more when sam sits down
[16:14:51] <nico-sun> :)
[16:14:58] <nico-sun> sam: will need help
[16:15:15] <nico-sun> reviewing, drawing ascii art
[16:15:19] <nico-sun> sam's done
[16:15:25] <N7DR> IN CableLabs right now group 2 is a MUST to support, group 1 is a MAY
[16:15:32] <kenh> brian: I can help with ASCII art.
[16:16:06] <nico-sun> I think I'm up
[16:16:13] <nico-sun> no, I'm not
[16:16:15] <nico-sun> Leif is
[16:16:22] <nico-sun> :)
[16:16:29] <nico-sun> kenh: you scrib ethis time
[16:16:40] <nico-sun> I found it harder to scribe Sam than I'd thought
[16:16:57] <kenh> nico: will do.
[16:17:04] <nico-sun> doc: pre-auth combination will require multiple round-trips
[16:17:09] <kenh> Leif: krb-information-model.
[16:17:11] <hartmans> Negotiation will require no new round trips
[16:17:19] <kenh> No current comments (AFAIK)
[16:17:19] <nico-sun> the negotiation will not require more than one
[16:17:20] <hartmans> I don't like the idea of negotiation
[16:17:25] <kenh> Orthogonal to change-password
[16:17:34] <kenh> part of any management protocol.
[16:17:39] <nico-sun> oh, ok, I'll let Sam speak for himself
[16:17:52] <hartmans> I can send the signing propoasl out given 10 minutes or so.
[16:17:53] <lha> hartmans: I can read preauth and review
[16:17:53] <kenh> Seems to have exhausted WG momtentum; seems pretty complete.
[16:18:04] <kenh> We need WG review at this point.
[16:18:25] <kenh> (as a FYI: key management is not intended to be done with this draft).
[16:18:26] <jhutz> Leif's slides: info-model-ietf60.sxi
[16:18:50] <kenh> sam: Presented this to a vendor, they were interested, have some feedback to send your way.
[16:18:58] <lha> negotiation is needed as long as we think we need to combine preauth mechs (ie there isn't a secure preauth mech that can stand on its own)
[16:19:00] <kenh> sam: We will try to get that feedback to you.
[16:19:18] <hartmans> Or we think that we want to support combining mechs.
[16:19:26] <kenh> leif: Comments from two IETFs ago were folded into latest draft.
[16:19:37] <kenh> nico: I will review it, and let you know if I have any issues.
[16:19:53] <kenh> sam: I would like it if it was a WG document.
[16:20:21] <kenh> jhutz: Don't have text of charter right now, but I think it fits within scope.
[16:20:54] <lha> hartmans: how can we not need it unless we do something like SRP for password auth
[16:21:01] <kenh> jhutz: My opinion is that I would like it to be a WG item:
[16:21:17] <kenh> Consensus is for having it WG item (no objections)
[16:21:25] <kenh> Russ: Get PKINIT done first.
[16:21:48] <kenh> leif: Will accept any comments on it.
[16:22:03] <N7DR> Where can I find Leif's slides?
[16:22:26] <kenh> doc: We're working on it.
[16:22:36] <N7DR> Oh, OK. Thanks.
[16:22:54] <N7DR> It's tough here, trying to participate in a real meeting at the same time
[16:23:22] <kenh> Nico Williams: set-passwd-v2
[16:23:36] <kenh> Removed some authors, added acknowledgements
[16:23:56] <leifj> http://people.su.se/~leifj/info-model-ietf60.pdf
[16:24:02] <kenh> Removed UDP as transport, redundant framing, ASCII art.
[16:24:39] <kenh> Cleaned up major version negotiation text.
[16:24:52] <kenh> (Removing UDP helps in this regard)
[16:25:07] <kenh> I18N: To be discussed here.
[16:25:36] <kenh> Added dry-run (password test) capability.
[16:26:15] <kenh> Added op to get current s2k params without password change.
[16:26:23] <kenh> (To sync salts after princ/realm renames)
[16:26:45] <kenh> Added optional password quality codes as hints for smart clients (by req from Larry)
[16:27:09] <kenh> Added delayed commitment to change-pw and set-pw operations (requested by Larry)
[16:28:36] <kenh> Larry: I'd like to be able to negoiate error code support so we could add error codes without IETF intervention.
[16:28:44] <kenh> nico: We'll take this to the list.
[16:30:07] <Eric Rosenfeld> hey, had to step away for a minute. Where are we on PKINIT?
[16:30:26] <kenh> Removed field indicating version of Kerberos V5 support (convinced by Sam)>
[16:30:33] <leifj> outstanding issues to the list
[16:30:35] <kenh> Eric: Can you scroll back in your jabber client?
[16:30:36] <leifj> (pkinit)
[16:30:37] <lha> eric: we ran out of time
[16:31:07] <kenh> Nico: The isupport issues may still be controversial (sam said to take offline)
[16:31:21] <kenh> Nico: I18N, Baby One More Time.
[16:31:36] <kenh> Not just just-send-8, but also just-use-8.
[16:33:15] <kenh> just-use-8: When a client and a server are trying to auth, they have better had the same encoding.
[16:33:21] <Eric Rosenfeld> yeah, I have scrolled back, and I didn't see a whole lot of resolution. So what does "ran out of time" mean? I thought PKINIT was the highest priority.
[16:33:50] <jas> re s2k params: Was it out of the question to allow clients to suggest string2key parameters?
[16:34:24] <leifj> i18n is also high on the list - anyways most of the questions need confirmation on the list anyway
[16:34:24] <kenh> We had some issues that consensus was declared in the WG, but we have to ask the WG on the mailing list (since not all the players are here)
[16:35:28] <kenh> Nico: Dual-mode (pre-ext/ext) require aliasing of non-ASCII princ/realm names, salts, passwords if we want them to be used on pre-ext just-8 clients.
[16:36:17] <kenh> Nico: salts & passwords should be sent a display strings to help out pre-ext clients.
[16:37:03] <kenh> SASLprep explicitly prohibits ASCII control characters in their passwords, but current KDCs support it. Probably is a non-issue.
[16:37:53] <kenh> Consensus is for adding encoding hints to protocol (no objections)
[16:39:40] <kenh> Out of the people who read extensions, no one has objections to doc structure.
[16:39:49] <kenh> Doug Engert: Kerberos self-limitations.
[16:40:05] <kenh> Doug: Kerberos too succesfull:
[16:40:23] <kenh> Trust in user's workstation is low (bigger you get, the smaller the trust)
[16:40:36] <kenh> With single sign-on, total reliance on user's workstation.
[16:40:49] <kenh> Delegated ticket is as good as original.
[16:41:47] <kenh> No black-listing of tickets by KDC, especially with cross-realm.
[16:42:06] <hartmans> I think host security is the real long-term solution to this problem
[16:42:15] --- wyllys has left: Disconnected
[16:42:32] <nico-sun> I'd like an authorization data item or binding a ticket to a host principal
[16:42:33] <hartmans> or stick Kerberos in the TCB
[16:42:43] <kenh> I don't disagree, but that's a really hard problem. We could provide some better knobs.
[16:42:51] <hartmans> nico: fine, but that requires TCB-level integration
[16:42:57] <nico-sun> in the ticket: the princ name
[16:43:08] <hartmans> kenh: But all the OS vendors are working on it.
[16:43:29] <nico-sun> in the authenticator: another AP-REQ for the bound princ sing the checksum field to bind that AP-REQ to the outer one
[16:43:40] <kenh> Doug: Conclusions, is that we need more input from the "real world".
[16:44:10] <kenh> hartmans: they are? How so?
[16:44:12] --- raeburn has left: Disconnected
[16:44:34] <hartmans> Linux is working on selinux; Nico tells me wonderful things about Solaris 10 every time we talk
[16:44:39] <kenh> tlyu: These are really qualitfy-of-implementations issues, not so much protocol issues.
[16:44:57] <nico-sun> heh
[16:45:05] <kenh> Ah, I thought you were talking about authorization knobs, not host security.
[16:45:07] <hartmans> Windows actually does a lot of this already although default policy is permissive
[16:45:42] <nico-sun> ken: I'm addressing Doug's point about binding to addresses being useless
[16:45:42] <kenh> Larry Zhu: KDC Referrals
[16:45:50] <hartmans> I don't buy this is Kerberos specific except in so far as Kerberos actually provides a usable experience so you can get it working far enough to get compromised
[16:46:15] <kenh> nico: Okay, but I think he meant in practice, not in theory. In practice, _what we have currently_, they are, IMHO.
[16:46:26] <kenh> But we could certainly have something better.
[16:46:33] <kenh> Larry: Updates
[16:46:54] <kenh> Larry: PA-SERVER-REFERRAL-DATA contains the realm name for the next TGS Request.
[16:47:01] <hartmans> kenh: Possibly I'm not convinced we could have something better that provides a good user experience but I'm happy to try
[16:47:09] <kenh> Solution to the GNU FTP problems.
[16:47:32] <kenh> (e.g., Using an alias GNUFTP to request a ticket for ftp.gnu.org, outside of admin boundary)
[16:48:06] <kenh> Referral data could refer you to the "correct" name.
[16:48:36] <N7DR> Everyone is breaking out the beers here, so er... I have to leave now...
[16:48:41] <kenh> sam: Oh, I don't know how to create anything better, I'm just saying it would be nice if therre was such a thing :-)
[16:48:49] --- Eric Rosenfeld has left
[16:48:50] <warlord> see ya, doc
[16:48:51] <kenh> Larry: Open Issues
[16:48:56] --- N7DR has left
[16:49:04] <kenh> Larry: Ticket & referral info mix & match attack
[16:49:07] <hartmans> Ah, but I do know how to make progress on host security;)
[16:49:18] <kenh> Several Solutions possible
[16:50:00] <kenh> sam: The problem is that if your user base includes mostly random scientists connecting from poorly-administrated Linux boxes, your host security problem is VERY hard.
[16:50:13] <kenh> Larry: Several solutions possible (see slides)
[16:50:42] <kenh> Larry: Next steps - call for consensus on the draft going to last call.
[16:51:06] <kenh> jhutz: Last call is something Doug and I do when we feel the document is ready ... and we base that on your sense of the document's readiness.
[16:51:08] --- nov has joined
[16:51:09] --- lha has left: Logged out
[16:51:18] --- lha has joined
[16:51:39] <nico-sun> are we done? looks like it
[16:51:42] <kenh> sam: I think you're not ready; you probably need a few more reviewers.
[16:52:09] <kenh> jhutz: Please describe your proposals on the mailing list, so we can get more discussions.
[16:52:14] --- hartmans has left
[16:52:24] --- nico-sun has left
[16:52:46] --- tlyu has left
[16:52:54] <kenh> And the meeting is closed.
[16:53:01] --- nov has left
[16:53:07] --- kenh has left
[16:53:21] --- pbh has left
[16:55:36] --- jas has left
[16:55:44] --- DougEngert has left
[16:55:47] --- lha has left
[16:59:42] --- amelnikov has left
[17:07:47] --- jhutz has left: Disconnected
[17:10:21] --- masahiro has left: Disconnected
[17:13:02] --- jaltman has left: Replaced by new connection
[17:13:25] --- jaltman has joined
[17:15:35] --- warlord has left
[17:17:57] --- masahiro has joined
[17:18:01] --- masahiro has left
[17:18:17] --- Kurt has left: Disconnected
[17:22:53] --- leifj has left
[17:44:18] --- jhutz has joined
[17:47:50] --- wyllys has joined
[17:48:02] --- wyllys has left
[17:48:56] --- jhutz has left
[18:20:55] --- raeburn has joined
[18:25:21] --- jaltman has left: Replaced by new connection
[19:05:45] --- raeburn has left: Disconnected