ietf
[Top] [All Lists]

RE: Gen-ART review of draft-ietf-krb-wg-otp-preauth-18

2011-08-26 11:08:58


    > [1] In section 6.1 at the top of p.28, I don't believe that the
    > use of lower case "recommended" is a strong enough warning about
    > the danger in using anonymous PKINIT because it exposes the OTP
    > value:

    >    It is therefore recommended that anonymous PKINIT not be used
    > with OTP algorithms that require the OTP value to be sent to the
    > KDC and that careful consideration be made of the security
    > implications before it is used with other algorithms such as those
    > with short OTP values.

    > At a minimum, that warning should be in upper-case:

    >    It is therefore RECOMMENDED that anonymous PKINIT not be used
    > with OTP algorithms that require the OTP value to be sent to the
    > KDC. In addition, the security implications should be carefully
    > considered before anonymous PKINIT is used with other algorithms
    > such as those with short OTP values.

    > Beyond that, the security issue in the first sentence may be
    > severe enough to justify a prohibition, so the following would
    > also be acceptable:

    >    Therefore anonymous PKINIT SHALL NOT be used with OTP
    > algorithms that require the OTP value to be sent to the KDC. In
    > addition, the security implications should be carefully
considered
    > before anonymous PKINIT is used with other algorithms such as
    > those with short OTP values.

I definitely agree that we should use RFC 2119 language.
Note that WG participants have questioned this text in last call for
other reasons.
Many implementations use anonymous pkinit in a mode where the KDC's
certificate is verified--that is the client is anonymous but the KDC is
identified through a PKI.
WG participants believe (and I agree) that the security concern does
not
apply at all in this case.
So, the text needs reworking.


I believe that the WG consensus here was that this security issue only applies 
if the identity of the KDC has not been verified.

How about the following updated version of the paragraph?

   Therefore, unless the identity of the KDC has been verified,
   anonymous PKINIT SHALL NOT be used with OTP
   algorithms that require the OTP value to be sent to the KDC.  In
   addition, the security considerations should be carefully considered
   before anonymous PKINIT is used with other algorithms such as those with 
short OTP
   values.


--Gareth
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf