Kerberos Working Group Minutes Meeting : IETF70 at Westin Bayshore Resort and Marina, Vancouver, BC, Canada Time: 09:00-11:30, Friday, December 7th, 2007 Location: Oak Chairs : Jeffrey Hutzelman , Larry Zhu Scribe: Alexey Melnikov Audio : http://www.ietf.org/audio//ietf703.m3u http://limestone.uoregon.edu:8001/ietf703.mp3 Meeting Materials: https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=70 ============================================================== -- Preliminaries (5 minutes) -- Document Status and Last Calls * ECC PKINIT – draft-zhu-pkinit-ecc-04.txt, in AD review No issue discussed. * Set/Change Password – draft-ietf-krb-wg-kerberos-set-passwd-07.txt, waiting for PROTO review response * Data Model - draft-johansson-kerberos-model-04.txt, almost ready, the author missed the dead line for submission. Leif asked for reviews. * Anonymous - draft-ietf-krb-wg-anon-04.txt, WGLC completed, no issue discussed. * GSS Hash Agility - draft-ietf-krb-wg-gss-cb-hash-agility-03.txt, WGLC completed, The working group spent a few minutes on this ID. One open issue is the assignment for private use extensions. There is confusion about what the extensions are for. It was clarified that the extensions are to preserve the extensibility of the AP_REQ message, and not for hash agility as the document title suggests. Sam proposed to have a small number of private use numbers to ensure collisions and make sure private use numbers are not actually deployed. Nico, we want to preserve the criticality flag. Nico, I like to have a typed hole in the AP_REP. Jhutz, all the extensions are optional. Nico, fine, get rid of the criticality flag. Sam, if we need to do criticality, we need to do it now. This might break interop. The group decided to move on. Nico asked to add an extension to protect the mechanism OID. Sam agreed. Larry agreed. A few more additional attendees Agreed. *Cross Realm Problems - draft-ietf-krb-wg-cross-problem-statement-01.txt, WGLC Ends DEC 14, 2007. Feedback needed. No specific issue discussed. *Preauth Framework - draft-ietf-krb-wg-preauth-framework-06.txt, almost ready. *Referrals - draft-ietf-krb-wg-kerberos-referrals-10.txt, not ready --Technical Discussions *Preauth Framework Sam presented an issue. The client currently can’t tell the server which authentication set to use, this does not work for the case of many similar mechanisms (multiple secure ID servers). Group: suggest renaming PA-authentication set to PA-Authentication-sequence because the container is ordered. Larry, echo back the pa-set number. Sam, a number (to identify the set) is slightly better Sam, cannot care that much. *Referrals The ID did not meet the deadline for IETF70. Ken, add back the appendix about Microsoft implementation that was moved to the next revision. Ken, added an optional time filed for when information expires (for caching). Ken, outstanding issues: validation of client referral data and the authorization data in the cross-realm case. Ken, problems with case when multiple accounts share the same password, referral can change the principal name in the unprotected clear text. Ken, I have a good idea about fixing this. Ken, no better solution than client policy. Nico, policy based solution is bad. Ken, Problem goes way we have protection. Nico, using PKINIT is good mitigation. Larry, PKINIT is safe, the client name is signed. Ken, AD-KDC-issued description is not clear. Will propose new authz data. Ken, prefer not to special case NT_ENTERPRISE names. Ken, to do, add more examples, U2u2, crealm, etc. *Kerberos 5.3 Jhutz, summarizing the Chicago proposal (in his slides). Martin: startTLS has large footprint, not acceptable, bad excuse to include it. Nico, FAST, not more work if we decope FAST, StartTLS, and 5.3 Leif, if we can anticipate a third way, the argument for decoupling is stronger. Sam, pointed out that there is no strong interest in I18N work. Sam, will follow up with Sun on the priorities. Tim (as AD), work on the one that we have people interested in working on, and let the market decide. The group moved on to update the milestones. Leif, I will publish KAML problem statement, please review. --Open Mic Shawn talks about “derived principal name authorization”, delayed, long running processes, how to authenticate them. Shawn, create mulitple principals, each have a separate key. Shawn, give away all the rights the user has. Shawn, another proposal, postdated tickets. TomYu, create a ticket with short lifetime but long renewable time. Sam/Shawn, too much protocol interactions.