ietf
[Top] [All Lists]

Re: Last Call: draft-ietf-krb-wg-preauth-framework (A Generalized Framework for Kerberos Pre-Authentication) to Proposed Standard

2009-12-10 17:11:42


I hate to be raising last call issues with my own document but such is
life.

1) Jim Schaad reports that our ASN.1 module is missing an import
statement.

2) Shortly after Jeff submitted the publication request, Tom Yu found
some problems with the assigned numbers in the IANA pre-authentication
registry that is being created.  In response to his last round of
comments back in April we moved some things around and apparently left
some conflicts in place.

The above two are relatively easy to fix.

3) We discovered that the description of ad-authentication-strength at
the bottom of page 36 is incorrect.  It says that
ad-authentication-strength needs to be included in ad-if-relevant.  The
problem with that is that a client could generate a fake
ad-authentication-strength element unless it is integrity protected by
the KDC.  So, ad-authentication-strength really needs to be included in
ad-kdc-issued.  In this case, the KDC provides integrity protection for
the element, preventing a client from including its own claim about
authentication strength.  (This is roughly the difference between signed
and unsigned attributes in CMS).  I need to figure out whether
ad-kdc-issued is inherently non-critical or if you need ad-kdc-issued
plus ad-if-relevant (and if so, what the order should be) to get a
non-critical integrity-protected authorization data element.  This
change should not be a problem; as far as I'm aware none of the
implementations currently include an ad-authentication-strength element.

Sorry that the above point is coming out so late.  We discovered this
when looking at a bug in another protocol and were concerned that we
might have something we needed to treat as a product security problem.
As it turns out that issue is non-sensitive and I'll be describing it in
a separate message to the working group list.

I request permission from the chairs and Tim to upload a new draft
fixing these three issues once I confirm a resolution for #3 above.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>
  • Re: Last Call: draft-ietf-krb-wg-preauth-framework (A Generalized Framework for Kerberos Pre-Authentication) to Proposed Standard, Sam Hartman <=