Minutes for krb-wg at IETF65

** IETF 65 - Dallas, TX
** Kerberos Working Group
** Mon, Mar 20 - 09:00 - 11:30

Chair:   Jeffrey Hutzelman
Scribe:  Love Hörnquist-Åstrand

* Agenda:

  + Preliminaries - Jeffrey Hutzelman (5 min)
  + Document Status - Jeffrey Hutzelman (5 min)
  + Technical Discussion (120 min)
    - Anonymity
    - Hash Agility Mandate / SHA-256
    - Set/Change Password
    - Referrals
    - Kerberos Extensions
  + Update Milestones - Chair and Participants (10 min)

* Document Status
  The chair gave a brief update on the status of current documents.
  + PKINIT and OCSP-for-PKINIT have been approved by the IESG.
  + Enctype negotation was been approved by the IESG
  XXX gssapi documents?
  + The PKINIT ECC document is still in progress.
  + There is active work on Larry's anonymity draft, set/change
    password, and extensions.

* Anonymity
  There was a discussion of anonymity and of Larry's draft.
  The sense of the room was that this document was going in the right
  direction and should be adopted as a WG item.  There was discussion
  on the issue of what client principal name should appear in anonymous
  tickets, and of the ticket substitution attack described by Aaron.

	same thing as TLS, client not authenticated

	sam, want to continue w/o continue
	until we have a way to transport assertions

	love, read the draft, agree with the principal

	summary by larry:

		not empty string, use
		    (something like anonymous/anonymous@)
		define ticket flag
		auth path for client and server cross realm
		guidelines for gssapi implemeeaetions
		def, what is anonymous ticket

		getting anon ticket in AS or TGS request
		setting a KDC option
			KDC will return a anonymous ticket and remove auth-data

	document is a acceptet working group item in the next revision

	discussion on anonymity support by other mechanisms

	discussion on realm name

	discussion on name
		   larry: anonymous/anonymous/anonymous
		   tom: a/n/o/n/y/m/o/u/s

		   sam, need a new nameform, needs more general way to do it.

		   jhutz, just another name, plenty of examples before

		   nico, use critical auth-data element?

		   collision

	discussion on how the client sees anonymity


	aron jaggard
		anonyity switching
		leaking names

		nico: authenticated plaintext will fix this?
		sam: does this problem already exists? ---> yes

		the server can't trust the attacker is exposing the
		real client

		document in security considerations?

		how to solve this is unclear

		sam, this is a very specific problem

		go for extention


* Hash Agility
  There was a discussion of algorithm agility in Kerberos and related
  protocols, particularly as it relates to hashes:

  - The core Kerberos protocol has always had enctype negotiation, which
    also negotiates use of associated checksum types.  With the approval
    of the enctype-negotiation document, it is possible for applications
    to negotiate use of an enctype not supported by the KDC.

  - PKINIT has several algorithm negotiation issues and currently uses
    SHA-1 as the only checksum algorithm in the paChecksum slot.  There
    is also a potential issue with a key derivation function which is
    currently based on SHA-1; there is room to add the ability to
    negotiate a different function, but this has not been done and there
    are no alternate KDF's defined.

  - There was a discussion of the impact of this issue on the ECC work.
    Particularly, there is a question as to whether the SHA-1 currently
    used by PKINIT is strong enough for the ECC groups which will be
    introduced by the new document.  Larry will look into this further.

  - RFC4121 (the Kerberos GSSAPI mechanism) has an issue with channel
    bindings, which are currently protected using MD5.  A work item has
    been added to correct this; Shawn Emery will act as editor.

* Kerberos Extensions
  Tom Yu gave us a brief update.  Open issues seem to be language tags
  and the question of whether and how much new ASN.1 syntax to use.


ACTION ITEMS:
  * chair: Get Anonymous listed as a WG item
  * chair: Update milestones
  * lzhu: Evaluate hash strength issue for PKINIT ECC
  * jhutz, lzhu, lha: Figure out milestone for PKINIT Hash Agility
  * jhutz, nico, shawn: Figure out milestone for RFC4121 Hash Agility
  * hartmans: Find out if Nov 2006 is reasonable MS for hash agility

  * New Document Authors
    - PKINIT Hash Agility - Love, Larry
    - RFC4121 Hash Agility - Shawn Emery

MILESTONES:
  Done   - Consensus on direction for Change/Set password
  Jul 06 - Review milestones
  Jul 06 - Last Call Anonymous
  TBD    - Last Call PKINIT Hash Agility
  TBD    - Last Call RFC4121 Hash Agility