ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Gen-ART review of draft-ietf-krb-wg-otp-preauth-18

2011-08-25 12:15:57
from [david.black] [Permanent Link] 
Make that - Thanks for the quick response. (off-by-one key error ...)

Thanks,
--David



-----Original Message-----
From: Black, David
Sent: Thursday, August 25, 2011 9:14 AM
To: Sam Hartman
Cc: Richards, Gareth; gen-art(_at_)ietf(_dot_)org; ietf(_at_)ietf(_dot_)org; 
ietf-krb-wg(_at_)lists(_dot_)anl(_dot_)gov;
stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie; Black, David
Subject: RE: Gen-ART review of draft-ietf-krb-wg-otp-preauth-18

Hi Sam,

Thanks for the quick response?  I'll watch for the new text on anonymous 
PKINIT.


Why should we require that alg-ids be registered URIs?


That's not my concern - the existing first paragraph of the IANA 
considerations section in the draft
requires IANA registration (or at least tries to) by pointing to the PSKC 
registry.  My concern is
that if this is going to be done, it needs to be done right (duh!), and the 
current text is
insufficient. Please take the issue of whether to use IANA for this purpose 
up with Gareth and the WG.


I have no problem with the IETF registering its algorithms there, or us
encouraging people to register them there, but it's a URI. What purpose
is served by forcing registration?


Hmm - more than one URI for the same algorithm might cause interoperability 
problems.

Thanks,
--David


-----Original Message-----
From: Sam Hartman [mailto:hartmans-ietf(_at_)mit(_dot_)edu]
Sent: Wednesday, August 24, 2011 10:04 PM
To: Black, David
Cc: Richards, Gareth; gen-art(_at_)ietf(_dot_)org; 
ietf(_at_)ietf(_dot_)org; ietf-krb-wg(_at_)lists(_dot_)anl(_dot_)gov; 
hartmans-
ietf(_at_)mit(_dot_)edu; stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie
Subject: Re: Gen-ART review of draft-ietf-krb-wg-otp-preauth-18


  <david(_dot_)black(_at_)emc(_dot_)com> writes:



    > [1] In section 6.1 at the top of p.28, I don't believe that the
    > use of lower case "recommended" is a strong enough warning about
    > the danger in using anonymous PKINIT because it exposes the OTP
    > value:

    >    It is therefore recommended that anonymous PKINIT not be used
    > with OTP algorithms that require the OTP value to be sent to the
    > KDC and that careful consideration be made of the security
    > implications before it is used with other algorithms such as those
    > with short OTP values.

    > At a minimum, that warning should be in upper-case:

    >    It is therefore RECOMMENDED that anonymous PKINIT not be used
    > with OTP algorithms that require the OTP value to be sent to the
    > KDC. In addition, the security implications should be carefully
    > considered before anonymous PKINIT is used with other algorithms
    > such as those with short OTP values.

    > Beyond that, the security issue in the first sentence may be
    > severe enough to justify a prohibition, so the following would
    > also be acceptable:

    >    Therefore anonymous PKINIT SHALL NOT be used with OTP
    > algorithms that require the OTP value to be sent to the KDC. In
    > addition, the security implications should be carefully considered
    > before anonymous PKINIT is used with other algorithms such as
    > those with short OTP values.

I definitely agree that we should use RFC 2119 language.
Note that WG participants have questioned this text in last call for
other reasons.
Many implementations use anonymous pkinit in a mode where the KDC's
certificate is verified--that is the client is anonymous but the KDC is
identified through a PKI.
WG participants believe (and I agree) that the security concern does not
apply at all in this case.
So, the text needs reworking.

    > [2] In section 5, the first paragraph in the IANA considerations
    > is unclear, and following its reference to section 4.1, I don't
    > see any clarifying text there either.  I think Sections 4.1 and
    > 4.2 need to say that the value of otp-algID is a URI obtained from
    > the PSKC Algorithm URI Registry, and the first paragraph in
    > section 5 should say that URIs for otp-algID are to be registered
    > in that registry, see RFC 6030.

Why should we require that alg-ids be registered URIs?  I.E. what is
wrong with me using
http://algorithms.painless-security.com/otp/best-thing-since-unsliced-bread
(or a tag URI if you like) for my OTP algorithm?
I have no problem with the IETF registering its algorithms there, or us
encouraging people to register them them, but it's a URI. What purpose
is served by forcing registration?


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Gen-ART review of draft-ietf-krb-wg-otp-preauth-18, david.black
Next by Date:  Re: voting system for future venues?, Hector Santos
Previous by Thread:  RE: Gen-ART review of draft-ietf-krb-wg-otp-preauth-18, david.black
Next by Thread:  RE: Gen-ART review of draft-ietf-krb-wg-otp-preauth-18, gareth.richards
Indexes:  [Date] [Thread] [Top] [All Lists]