IETF 92 - kitten Working Group Minutes ================================================================ Location: IETF 92, Dallas, TX, US (Fairmont Dallas) Room: Far East Time: 2015-03-27 1150-1320 Co-Chairs: Ben Kaduk Matt Miller Shawn Emery (really outgoing this time) Scribe: Jim Schaad Jabber: Alexey Melnikov Action Items ================================================================ 1) draft-ietf-kitten-rfc4402bis * Shawn Emery to submit new draft, but may not be until end of May 2015 2) draft-ietf-kitten-rfc6112bis * Shawn Emery to submit new draft, but may not be until end of May 2015 3) draft-ietf-kitten-rfc5653bis * Chairs to take discussion on Java Stream API to list 4) draft-josefsson-kitten-gs2bis / draft-josefsson-sasl-tls-cb * Chairs to work on draft "liaison statement" to TLS WG about the need for a functional "tls unique" 5) draft-ietf-krb-wg-pkinit-alg-agility * Bill Mills to revive missing edits on the mailing list 6) Non-WG drafts * Chairs to discuss how/when to call for adoption of drafts. Conference Session ================================================================ 1. Preliminaries (5 min) 2. Active WG items (20 min) Chairs briefly review the status of each document, and discuss any open issues and/or recent comments on each. 2.1 CAMMAC draft-ietf-kitten-cammac 2.2 GSS-Loop draft-ietf-kitten-gss-loop 2.3 SASL/OAuth draft-ietf-kitten-sasl-oauth 2.4 4402 Update draft-ietf-kitten-rfc4402bis Shawn Emery will submit new draft as soon as he gets access to the file. 2.5 6112 Update draft-ietf-kitten-rfc6112bis Shawn Emery will do it but may take until the end of May 2.6 5653 Update draft-ietf-kitten-rfc5653bis Nico Williams thinks that the stream stuff can be removed. The GSI folks uses a self framing method with TLS, one could have used the JAVA streaming that way but not as specified. Chairs will take this discussion to the list. 2.7 AES/SHA2 draft-ietf-kitten-aes-cts-hmac-sha2 2.8 PKINIT-Fresh draft-ietf-kitten-pkinit-freshness 2.9 SASL-SAML-EC draft-ietf-kitten-sasl-saml-ec 2.10 IAKERB draft-ietf-kitten-iakerb Nico thinks we should have a mechanism attribute which states that the mechanism might not succeed. There are some applications which need to avoid this state, i.e. they must always succeed. 2.11 Auth-Ind draft-ietf-kitten-krb-auth-indicator 2.12 GS2 Update draft-josefsson-kitten-gs2bis Need to get a new channel binding (e.g., draft-josefsson-sasl-tls-cb) until TLS session hash fix gets rolled out. Nico says that you need to have the session hash from TLS to be correct. This will also be necessary for the Token Binding WG as well. Need to have the chairs draft a message asking for changes from the TLS working group to get real channel bindings. 2.13 IANA-reg draft-ietf-kitten-gssapi-extensions-iana Tom Yu believes he can get it done in one or two meetings cycles, but needs help getting reviews done. 2.14 Channel Bound draft-ietf-kitten-channel-bound-flag Nico Williams is interested in moving this forward, but does not have cycles for this. He needs help to get the state swapped back in. Simo Sorce from the jabber room would like to assist with this. 2.15 PKINIT-alg draft-ietf-krb-wg-pkinit-alg-agility Need to revive the one missing edit back to the list and Bill Mills can finish with the edits. 3. Kerberos PAD (10 minutes) Ben Kaduk discussed use cases and requests seen by Simo that motivate reviving the Kerberos PAD draft. Nico Williams says this is starting to look like SIDS - NFS people might like this Group and user identification numbers need to be scoped correctly. Will be crossing name space boundaries when you cross realms Shawn Emery would also like a GSS-API interface Nico Williams says you should be able to get a smaller ticket from a service in exchange for the large ticket with all of your data in it. Stephen Farrel says that we should check with Microsoft to see if any IPR issues still apply. Nico Williams states that if inclusion of POSIX information is covered by IPR, this whole effort is probably dead. 4. Deprecating old Kerberos encryption types (10 minutes) Ben Kaduk presented draft-kaduk-kitten-des-des-des-die-die-die Kenny Patterson asks about key strengths. The key values could either be randomly generated or derived from passwords. If derived from passwords, biases in RC4 is the least of your attack in these issues. Shawn Emery says that some of the newer mechanisms replace password derived key generation is in stream. Bill Mills says that elimination of Windows XP and 2003 servers by the PCI compliance enforcement. 5. Kerberos Service Discovery Ben Kaduk talked about draft-mccallum-kitten-krb-service-discovery. Nico supports the draft as does Simo Sorce. 6. Extra round trips in Kerberos (10 minutes) Nico will present draft-williams-kitten-krb5-extra-rt Shawn Emery agrees this would be helpful. 7. GSS-only Kerberos encryption types (10 minutes) Nico Williams talked about this proposal to bring in, e.g., GCM mode for improved performance Ben Kaduk notes that there are several encryption type registry entries with strong restrictions on usage context. 8. PKCROSS (10 minutes) Nico Williams talked about draft-williams-kitten-krb5-pkcross and the various alternate proposals which have been made. 9. GSS generic naming attribues (10 minutes) Nico Williams talked about draft-williams-kitten-generic-naming-attributes 10. Open mic (5 min) Nico Williams regarding the registry - we may be able to drop a couple of these documents and go directly to IANA expert review on them. Chairs poll the room to see how many of the non-WG drafts people have read, in preparation for a call for adoption. Poor showing in the room-- generally the same 3 or 4 individuals. Chairs need to discuss how and when to call for adoption on some or all of the non-WG documents.