[00:08:01] --- wyllys has joined
[00:11:07] --- wyllys has left
[00:16:30] --- wyllys has joined
[00:16:36] --- wyllys has left
[11:06:26] --- wyllys has joined
[11:06:29] --- wyllys has left
[11:12:47] --- wyllys has joined
[12:49:59] --- wyllys has left
[13:10:31] --- jas has joined
[14:14:51] --- hartmans has joined
[14:18:49] --- kenh has joined
[14:33:57] --- jaltman has joined
[14:38:12] --- warlord has joined
[14:38:27] --- tlyu has joined
[14:39:38] --- DougEngert has joined
[14:40:41] --- leifj has joined
[14:41:38] --- leifj has left
[14:42:07] --- leifj has joined
[14:43:01] --- raeburn has joined
[14:43:05] --- lha has joined
[14:45:18] --- jhutz has joined
[14:49:00] --- krb-wg has joined
[14:49:04] <kenh> Doug Engert is opening the meeting.
[14:49:06] --- pbh has joined
[14:49:15] <hartmans> Pre-meeting discussion suggests that we may be
able to require DER for CMS, but their may be problems with certs.
[14:49:22] <kenh> Passing of blue sheets, etc.
[14:49:53] <hartmans> Especially when directories are involved; they
tend to produce BER encodings of certs.
[14:49:59] <kenh> (Any notes other than the jabber scribe are welcome)
[14:50:52] <krb-wg> so signature verification involves decoding and
re-encoding; collective groan followed
[14:50:54] <jhutz> http://grand.central.org/dl/ietf-krb-wg/
[14:51:01] <lha> encryptedContent when doing encryptedData is a problem
[14:51:05] --- masahiro has joined
[14:52:05] <jaltman> welcome to the 59th IETF
[14:52:21] <lha> some implementation does BER encoding of the OCTET
STRING for streaming reasons, and then part of the data is BER and part DER
[14:52:27] <kenh> Agenda bashing ... very quickly.
[14:52:51] <kenh> (Note: bulk of time will be spent on pkinit)
[14:53:00] --- wyllys has joined
[14:53:56] <kenh> note: jhutz has a crappy laptop and it doesn't display
the agenda properly.
[14:54:33] <jaltman> according to Russ, some X.500 directories accept a
certificate in DER and re-encode it in BER and then send the BER encoded
version when a certificate is requested from the directory. The
recipient must decode the BER and re-encode as DER before verifying the
signatures. Implementations which do not support both BER and DER will
be *surprised*.
[14:55:08] <kenh> First topic: Document status
[14:55:23] <kenh> Crypto Framework: RFC Editor Queue
[14:55:24] <lha> pwd
[14:55:41] <krb-wg> am I showing up here?
[14:55:46] <kenh> Yes.
[14:55:50] <jaltman> who are you?
[14:55:54] <krb-wg> as nico-sun?
[14:56:00] <leifj> as krb-wg
[14:56:02] <raeburn> no, as krb-wg
[14:56:02] <hartmans> Loe, do you object to the PRF change? I assume you
have actually implemented.
[14:56:12] <krb-wg> why? how to fix?
[14:56:25] --- krb-wg is now known as nico-sun
[14:56:34] <nico-sun> ok, got it
[14:56:41] <nico-sun> (sigh)
[14:56:52] <lha> hartmans: PRF change is just fine, implemented but not
deployed so it doesn't matter
[14:56:58] <leifj> sam speaks to prf
[14:57:55] <kenh> Sam Hartmans: We try to avoid using keys directly, and
instead we want to derive keys for each use. We didn't do this for PRF.
We want to change this. Basically, instead of using the protocol key
directly, you call DK() on the key with a fixed constant (which we need
to decide on). One line document change.\
[14:58:47] <kenh> Number of votes for this change, nobody opposed.
[14:59:06] <kenh> Next Topic: GSSAPI-CFX: RFC Editor Queue
[14:59:58] <kenh> Steve Bellovin said he was unsure with Sam's assertion
that no registries are needed, still outstanding.
[15:00:09] <kenh> Next topic: AES
[15:00:26] <kenh> Still in IESG queue.
[15:01:01] <kenh> Ken raeburn: Comments from last-call process: some of
the recommendations were vague (e.g., key salting recommendations)
[15:01:15] <kenh> Russs Housley: AD's haven't decided on it yet.
[15:02:48] <kenh> Next topic: Clarifications
[15:03:06] <leifj> pepole are playing around with the projector here....
[15:03:43] <kenh> Status: One more revision to go.
[15:04:34] <kenh> Issue from Steve Bellovin regarding link-local
addresses; discussed with ADs in the Internet area, believe it is resolved.
[15:05:33] <kenh> Cliff Neuman will put out a set of changes.
[15:06:06] <kenh> Another issue on mailing list: Requests from Nico
Williams & Wyllys Ingersoll to add AES-128 enctype to clarifications.
[15:06:20] <nico-sun> as recommended
[15:06:33] --- amelnikov has joined
[15:06:36] <nico-sun> (SHOULD)
[15:06:45] <kenh> If there are no objections, they will be added for
next revision.
[15:07:05] <kenh> Next topic: WG Priorities
[15:07:35] <kenh> Going through WG milestones and seeing if they still
apply.
[15:08:47] <kenh> (First milestone should be "Clarifications", not
extensions).
[15:09:11] --- wyllys has left
[15:09:18] <kenh> First draft of pre-auth framework issued, should be
complete in Jan 05.
[15:09:47] <kenh> First draft of extensions: Document should be complete
by Washington.
[15:10:40] <kenh> Need to adjust time for PKINIT milestone.
[15:11:16] <kenh> Adjust extensions document submission to IESG to April 05
[15:12:03] <kenh> Holding off on set/change password milestone date for now.
[15:12:29] <nico-sun> we'll talk about the date after my presentation on
set-passwd v2
[15:13:27] <kenh> Suggestion for pre-auth framework milestone for Jan
05; still undecided.
[15:13:39] <kenh> Sugggestion to drop milestone for PKCROSS because it's
too far out.
[15:14:20] <kenh> Russ points out that if a document is listed in the
charters, it neeeds to be on the milestones.
[15:15:22] <kenh> There doesn't seem to be a charter listed on the web
page for krb-wg; will have to defer discussion on PKCROSS.
[15:15:37] --- wyllys has joined
[15:15:50] <kenh> Final item: Milestone review. We're ahead on this one.
[15:16:05] <kenh> Next Topic: PKINIT, Brian Tung speaking.
[15:16:31] <kenh> Major issues (culled by Jhutz from the mailing list)
[15:17:08] <kenh> OCSP and optional revocation info: Should we merge
spec into PKINIT or submit as separate draft?
[15:17:28] <kenh> Brian: Thought Nico and Larry were in agreement.
[15:18:13] <kenh> Nico: Only objection right now is where OCSP
[15:18:18] --- amelnikov has left: Replaced by new connection
[15:18:19] --- amelnikov has joined
[15:18:19] --- amelnikov has left
[15:18:23] <kenh> ... where OCSP info goes.
[15:19:12] <nico-sun> separate PA, separate I-D
[15:19:23] <nico-sun> the end
[15:19:34] <kenh> DH Key derivation
[15:20:42] <kenh> Sam: What we're trying to do is that several parties
want to be able cache a DH key for several hours and use it again in
static-static mode.
[15:21:03] <kenh> Sam: Main issue is how we do key derivation and how we
use nonces.
[15:23:10] <kenh> New proposal: Add nonces both directions, DH-specific
nonces, longer than clarifications nonces, You will have to omit the
nonces in the signed data using this mode. You then take a bunch of
stuff and in the packet and feed it into PRF.
[15:23:55] <kenh> This requires a wire format change; I believe we
should defer the discussion until we see if we have other wire format
changes.
[15:24:04] <lha> I don't see any real problem with changing the wire
format, the server is aware of old/new client via PA number
[15:24:05] --- jaltman has left: Replaced by new connection
[15:24:05] --- jaltman has joined
[15:24:05] --- jaltman has left
[15:24:16] <kenh> Consensus of room is that we should do it.
[15:25:33] --- amelnikov has joined
[15:25:38] <kenh> (The whole issue of wire format changes will be
deferred to the list)
[15:26:31] <kenh> (the question of MAY versus SHOULD will also be
deferred to the list)
[15:26:45] <kenh> Next subtopic: DER versus BER.
[15:27:54] <nico-sun> DAP does the evil thing
[15:28:18] <nico-sun> the evil thing being: decode, re-encode using
different rules, which breaks the sig
[15:28:41] <nico-sun> but that's ok cause the peer decodes, re-encodes
and verifies the signature
[15:28:50] <lha> encryptedContent when doing encryptedData is a problem,
some implementations will encode the encryptedData in BER so they can
stream data into the object regardless if it knows the length of the
inline data or not
[15:29:03] <kenh> Russ: When a CA makes a certificate, it encodes it in
DER. When the cert is placed in a X.500 directory, the protocol that you
talk to the X.500 directory (DAP) doesn't use an octet-string for the
cert, but the ASN.1 structure of the cert.
[15:29:15] <nico-sun> evil indeed
[15:29:35] <kenh> Russ: And the directory will encode the cert in BER,
so clients need to be able to decode and reencode it in DER.
[15:30:03] <lha> example:
http://people.su.se/~lha/patches/heimdal/pkinit-needs-octet-string-wrapping.txt
[15:31:31] <tlyu> lha, is there a hexdump of that encoding?
[15:31:47] --- jaltman has joined
[15:32:00] <kenh> jhutz: We'd like to specify one encoding, and we'd
like it to be DER.
[15:32:28] <lha> tlyu: replace txt with raw and you the the binary blob
[15:32:34] <kenh> sam: I'd like to object to picking DER. It seems like
we're doing this for one vendor which didn't support indefinite-length
encodings.
[15:34:46] <kenh> tlyu: My experience is that going from a hand-coded
DER encoder/decoder to a general-purpose BER encoder is hard.
[15:35:12] <lha> I don't mind picking DER, but I think its wrong and we
couldn't do it (I voiced this concern in ietf-58, so its not like you
had warning)
[15:35:43] <nico-sun> lha: I just offered a straw man: specify BER for
the PKINIT types
[15:35:45] <nico-sun> :)
[15:36:24] <kenh> jhutz: I'll channel some stuff from CableLabs: They
believe that permitting BER is a significant change in the spec, and
they will choose to be non-compliant in this respect. They won't like
it, but that's what they will choose to do.
[15:37:55] <kenh> sam: The assumption is that we would like to make life
easier for one vendor by specifying DER. But we're also making life
easier for another vendor by spec'ing BER.
[15:38:33] <kenh> sam: When picking a vendor to make life easier, we
should pick a vendor who is operating on the open internet, and not one
in a walled garden.
[15:39:17] <lha> Its a CMS type, we can't choose, its BER. so the
question is if we should allow BER in kerberos spec or wrap it with
OCTET STRING
[15:39:26] <nico-sun> does Heimdal use its own CMS implementation?
[15:39:33] <nico-sun> or does it use OpenSSL
[15:40:11] <nico-sun> Leif says it uses its own
[15:40:57] <lha> heimdal have code that three versions of it, valicert,
openssl, heimdal. the first two requires me to use something of the
equvalent of ANY
[15:41:33] <nico-sun> IOS
[15:41:44] <nico-sun> Information Object System
[15:41:47] <nico-sun> :)
[15:42:03] <kenh> jhutz: Channeling cablelabs again: Wrapping CMS in
octet string isn't harder, but it will be a protocol format.
[15:42:32] <lha> heimdal's asn1 parser/generator only support enough BER
to work with DCE
[15:42:56] --- N7DR has joined
[15:43:51] <kenh> jhutz: Wrapping helps some vendors seperate from the
encoding issue.
[15:45:40] <kenh> jhutz: Note that wrapping is not intended to solve the
DER versus BER issue; it's to solve the issue of "I want to use a CMS
library to parse certificates" issue.
[15:46:32] <kenh> jhutz: Does using IMPLICIT OCTET STRING avoid a change
to the on-the-wire protocol?
[15:46:43] <kenh> tlyu: No, it does not avoid a change.
[15:47:12] <kenh> tlyu: it's a one-bit change to the on-wire protocol.
[15:49:03] --- Kurt has joined
[15:49:42] <kenh> Consensus of the room is that we want to wrap it with
OCTET-STRING. Are there objections on jabber?
[15:50:01] <nico-sun> IMPLICIT OCTET STRING
[15:50:19] <kenh> hey, nico, you're welcome to take over scribe if you
want :-)
[15:50:47] <warlord> was it Implicit or Explicit? I thought Explicit
[15:51:13] <raeburn> explicit has bigger on-wire change; implicit is the
one-bit change.
[15:51:52] <N7DR> Not much in it really; they are both changes, but noth
are small changes, aren't they?
[15:52:08] <N7DR> FWIW, I gneerally prefer EXPLICIT wherever possible
[15:52:26] <nico-sun> warlord: implicit
[15:52:47] <warlord> ok, that seemed unclear
[15:52:53] <warlord> (to me)
[15:53:21] <kenh> jhutz is being especially grumpy right now.
[15:53:27] <nico-sun> does the room agree with me?
[15:53:34] <N7DR> I owuld like ot echo the earlier comment about the
difficulty of converting from a hand DER encoder/decoder to a general
BER one; it's a rather difficult change
[15:53:39] --- pbh has left: Replaced by new connection
[15:53:39] --- pbh has joined
[15:53:39] --- pbh has left
[15:53:52] --- pbh has joined
[15:54:35] <N7DR> My experience with people who are new to ASN.1 encoded
messages are much more likely to get EXPLICIT right than they are to get
IMPLICIT right
[15:54:37] <lha> MS uses IMPLICIT OCTET STRING to wrap all CMS types
[15:54:58] <hartmans> Yeah, this is tough. We're basically chosing
between simplicity and supporting all off the shelf CMS encoders
[15:55:37] <hartmans> Well, if you prefer explicit tags bring that up on
the list.
[15:55:46] <hartmans> I think the rest of us don't care so much
[15:56:49] <N7DR> I really don't care; rmemeber though that I have been
through the experience of watching a new industry suddenly having to
implement ASN.1 messages, and most of them get IMPLICIT stuff wrong at
first. So that's where I'm coming from.
[15:57:42] <nico-sun> we're moving to unauth plaintext issues
[15:57:49] <kenh> jhutz: There is no clear consensus on whether we
should permit PKINIT implementations to reject BER-encoded certs; taken
to list.
[15:58:06] <nico-sun> sam is not confident that there is no unauth
plaintext issue
[15:58:23] <nico-sun> kenh: maybe we should scribe different participants :_
[15:58:26] <nico-sun> :)
[15:58:41] --- larry has joined
[15:58:52] <kenh> sam: unsure if there are security issues with unsigned
parts of the protocol.
[15:59:03] <kenh> (nico, you can take sam for the rest)
[15:59:13] <lha> I don't understand why there are unsigned parts of the
messages at all ?
[15:59:13] <nico-sun> Now on to nonces
[15:59:29] <nico-sun> lha: want us to mention this?
[15:59:34] <lha> why isn't all data inside the AuthPack ?
[15:59:45] <kenh> jaltman offered to review the document for security
issues.
[16:00:02] <nico-sun> lha: we're not going to resolve that ehre
[16:00:05] <hartmans> Because pkinit sucks?
[16:00:09] <kenh> jhutz: You should ask that on the list.
[16:00:12] <N7DR> FYI, Eric is going to try to join in a few minutes. We
are both in a different meeting here :-)
[16:00:15] <nico-sun> someone will be tasked with looking at that and
reporting to the list
[16:00:17] <hartmans> And because you explicitly want it for
static-static dh
[16:00:44] --- Eric Rosenfeld has joined
[16:01:29] <lha> hartmans: because pkinit needs to be rewritten from
scratch now that we know what's broken ?
[16:01:40] <N7DR> I need a beer :-)
[16:02:02] <leifj> (B)
[16:02:15] <kenh> tlyu: FYI: nonce is not a named type in
clarifications, but it is constrained.
[16:02:19] <nico-sun> PKINIT nonces: same as clarif? or some octet
string of, say, fixed size?
[16:02:32] <kenh> correction: microseconds is constrained.
[16:02:38] <hartmans> I've always supported a rewrite of pkinit from
scratch; I realize it is not politically possible
[16:03:23] <kenh> jhutz: We could have Extensions patch PKINIT, but I'm
not sure we want to.
[16:03:48] --- leifj has left
[16:03:51] <lha> now, why do pkinit have nonce ? it have a checksum of
the request nonce...
[16:03:55] <nico-sun> moving this to the list
[16:03:58] --- leifj has joined
[16:04:03] <nico-sun> static-static dh
[16:04:35] <nico-sun> love's reply enc key issue to the list
[16:04:58] <nico-sun> now onto DH groups issue
[16:05:09] <kenh> jhutz: Russ, will the IESG approve a document where we
recommend the use of DH using Oakley groups 1 & 2 only?
[16:05:15] <kenh> Russ: maybe.
[16:05:35] <kenh> jhutz: Based on recent experience with ssh, I would
say no.
[16:06:12] <N7DR> But can't we jusyt say "one of the groupos from RFC
xxx and yyy"?
[16:06:17] <nico-sun> PKINIT already has group negotiation?
[16:06:22] <nico-sun> jhustz says so
[16:06:32] <lha> encKey was dropped from the spec
[16:06:43] <hartmans> Yes it has negotiation; I think this may be less
of an issue that jhutz claims
[16:06:43] <kenh> Doc: The issue is that we now say RFC 2409, and should
we change to RFC 3526.
[16:06:52] <nico-sun> do: must have one MUST
[16:06:52] <N7DR> Can;t we include both, though
[16:07:00] <nico-sun> we can have more than one MUS
[16:07:20] <nico-sun> MUST
[16:07:23] <N7DR> Obviously, our implementations all require 2409
[16:07:30] <nico-sun> russ: must have at least one MUST DH group
[16:07:40] <nico-sun> currently groups 1&2 are SHOULDs
[16:08:00] <N7DR> so is what russ just said true?
[16:08:07] <N7DR> Do we have to have a MUST?
[16:08:16] <kenh> doc: Yes.
[16:08:16] <N7DR> What's wrong with SHOULD?
[16:08:21] <nico-sun> MUST group 2 and negotiate others is ok
[16:08:26] <tlyu> doc, it's an interop issue, i think
[16:08:27] <kenh> You need one MUST for interoperability.
[16:08:29] <nico-sun> no need to MUST group 14
[16:08:32] <nico-sun> says russ
[16:08:37] <N7DR> How do you negotiate?
[16:08:41] <nico-sun> dunno
[16:08:58] <N7DR> I think the only way is with a KEY_TOO_WEAK or some
such hack
[16:08:59] <kenh> jhutz: Should the client include the root CA cert be
in the chain?
[16:09:02] <nico-sun> I haven't payed attention to that part of the I-D
[16:09:15] <kenh> russ: if you include the root CA cert in the chain,
_I_ will send it back :-)
[16:09:21] <N7DR> So I don't think that there's a real way to negotiate
[16:09:23] <lha> its sends back and error code and with use this group
in a PA
[16:09:56] <lha> s/its/the kdc/
[16:10:13] <N7DR> If there was a way to negotiate, I think we would have
used it
[16:10:19] --- amelnikov has left: Replaced by new connection
[16:10:19] --- amelnikov has joined
[16:10:19] --- amelnikov has left
[16:10:20] <nico-sun> doc: you mean that we don't know if KEY_TO_WEAK
means cert too week or DH group too weak?
[16:10:27] <N7DR> But if you're sure, then I won't argue
[16:10:29] <nico-sun> do we need a new error?
[16:10:32] --- amelnikov has joined
[16:10:33] <nico-sun> we're not sure
[16:10:35] <nico-sun> !
[16:10:50] <kenh> nico: Are you covering sam?
[16:10:57] <nico-sun> ok, hartmans talking about pre-auth
[16:10:58] <nico-sun> yes
[16:11:00] <lha> its not a new error, its covered by the spec
[16:11:09] <N7DR> KEY_TOO_WEAK menas you have to strengthen the value,
but maybe it's really too strong and you want to negotiate downward
[16:11:14] <nico-sun> security analysis of ashing pre-auths together is hard
[16:11:29] <nico-sun> hartmans
[16:11:51] <nico-sun> hartmans: there will be a pre-auth combination
pre-auth type
[16:11:57] <nico-sun> or something
[16:11:58] <N7DR> Can't we say MUST support group 2 and SHOULD support a
and all the ones i nthe later RFC?
[16:12:09] <nico-sun> hartmans: where to keep state is an issue
[16:12:12] <kenh> doc: That was a recommendation.
[16:12:13] <N7DR> I wish that I could type
[16:12:28] <N7DR> OK; I would agree to that recommendation
[16:12:28] <kenh> doc: heh
[16:12:45] <nico-sun> sam: think I have a solution that will send to list
[16:13:10] <Eric Rosenfeld> send to list when?
[16:13:39] <nico-sun> sam: negotiation, ordering
[16:14:22] <N7DR> I don't like the idea of negotiation if it's going to
require more than a single exchange
[16:14:30] <nico-sun> sam: could negotiate ordered pre-auth method from
set of such
[16:14:50] <nico-sun> doc: I'lll say more when sam sits down
[16:14:51] <nico-sun> :)
[16:14:58] <nico-sun> sam: will need help
[16:15:15] <nico-sun> reviewing, drawing ascii art
[16:15:19] <nico-sun> sam's done
[16:15:25] <N7DR> IN CableLabs right now group 2 is a MUST to support,
group 1 is a MAY
[16:15:32] <kenh> brian: I can help with ASCII art.
[16:16:06] <nico-sun> I think I'm up
[16:16:13] <nico-sun> no, I'm not
[16:16:15] <nico-sun> Leif is
[16:16:22] <nico-sun> :)
[16:16:29] <nico-sun> kenh: you scrib ethis time
[16:16:40] <nico-sun> I found it harder to scribe Sam than I'd thought
[16:16:57] <kenh> nico: will do.
[16:17:04] <nico-sun> doc: pre-auth combination will require multiple
round-trips
[16:17:09] <kenh> Leif: krb-information-model.
[16:17:11] <hartmans> Negotiation will require no new round trips
[16:17:19] <kenh> No current comments (AFAIK)
[16:17:19] <nico-sun> the negotiation will not require more than one
[16:17:20] <hartmans> I don't like the idea of negotiation
[16:17:25] <kenh> Orthogonal to change-password
[16:17:34] <kenh> part of any management protocol.
[16:17:39] <nico-sun> oh, ok, I'll let Sam speak for himself
[16:17:52] <hartmans> I can send the signing propoasl out given 10
minutes or so.
[16:17:53] <lha> hartmans: I can read preauth and review
[16:17:53] <kenh> Seems to have exhausted WG momtentum; seems pretty
complete.
[16:18:04] <kenh> We need WG review at this point.
[16:18:25] <kenh> (as a FYI: key management is not intended to be done
with this draft).
[16:18:26] <jhutz> Leif's slides: info-model-ietf60.sxi
[16:18:50] <kenh> sam: Presented this to a vendor, they were interested,
have some feedback to send your way.
[16:18:58] <lha> negotiation is needed as long as we think we need to
combine preauth mechs (ie there isn't a secure preauth mech that can
stand on its own)
[16:19:00] <kenh> sam: We will try to get that feedback to you.
[16:19:18] <hartmans> Or we think that we want to support combining mechs.
[16:19:26] <kenh> leif: Comments from two IETFs ago were folded into
latest draft.
[16:19:37] <kenh> nico: I will review it, and let you know if I have any
issues.
[16:19:53] <kenh> sam: I would like it if it was a WG document.
[16:20:21] <kenh> jhutz: Don't have text of charter right now, but I
think it fits within scope.
[16:20:54] <lha> hartmans: how can we not need it unless we do something
like SRP for password auth
[16:21:01] <kenh> jhutz: My opinion is that I would like it to be a WG item:
[16:21:17] <kenh> Consensus is for having it WG item (no objections)
[16:21:25] <kenh> Russ: Get PKINIT done first.
[16:21:48] <kenh> leif: Will accept any comments on it.
[16:22:03] <N7DR> Where can I find Leif's slides?
[16:22:26] <kenh> doc: We're working on it.
[16:22:36] <N7DR> Oh, OK. Thanks.
[16:22:54] <N7DR> It's tough here, trying to participate in a real
meeting at the same time
[16:23:22] <kenh> Nico Williams: set-passwd-v2
[16:23:36] <kenh> Removed some authors, added acknowledgements
[16:23:56] <leifj> http://people.su.se/~leifj/info-model-ietf60.pdf
[16:24:02] <kenh> Removed UDP as transport, redundant framing, ASCII art.
[16:24:39] <kenh> Cleaned up major version negotiation text.
[16:24:52] <kenh> (Removing UDP helps in this regard)
[16:25:07] <kenh> I18N: To be discussed here.
[16:25:36] <kenh> Added dry-run (password test) capability.
[16:26:15] <kenh> Added op to get current s2k params without password
change.
[16:26:23] <kenh> (To sync salts after princ/realm renames)
[16:26:45] <kenh> Added optional password quality codes as hints for
smart clients (by req from Larry)
[16:27:09] <kenh> Added delayed commitment to change-pw and set-pw
operations (requested by Larry)
[16:28:36] <kenh> Larry: I'd like to be able to negoiate error code
support so we could add error codes without IETF intervention.
[16:28:44] <kenh> nico: We'll take this to the list.
[16:30:07] <Eric Rosenfeld> hey, had to step away for a minute. Where
are we on PKINIT?
[16:30:26] <kenh> Removed field indicating version of Kerberos V5
support (convinced by Sam)>
[16:30:33] <leifj> outstanding issues to the list
[16:30:35] <kenh> Eric: Can you scroll back in your jabber client?
[16:30:36] <leifj> (pkinit)
[16:30:37] <lha> eric: we ran out of time
[16:31:07] <kenh> Nico: The isupport issues may still be controversial
(sam said to take offline)
[16:31:21] <kenh> Nico: I18N, Baby One More Time.
[16:31:36] <kenh> Not just just-send-8, but also just-use-8.
[16:33:15] <kenh> just-use-8: When a client and a server are trying to
auth, they have better had the same encoding.
[16:33:21] <Eric Rosenfeld> yeah, I have scrolled back, and I didn't see
a whole lot of resolution. So what does "ran out of time" mean? I
thought PKINIT was the highest priority.
[16:33:50] <jas> re s2k params: Was it out of the question to allow
clients to suggest string2key parameters?
[16:34:24] <leifj> i18n is also high on the list - anyways most of the
questions need confirmation on the list anyway
[16:34:24] <kenh> We had some issues that consensus was declared in the
WG, but we have to ask the WG on the mailing list (since not all the
players are here)
[16:35:28] <kenh> Nico: Dual-mode (pre-ext/ext) require aliasing of
non-ASCII princ/realm names, salts, passwords if we want them to be used
on pre-ext just-8 clients.
[16:36:17] <kenh> Nico: salts & passwords should be sent a display
strings to help out pre-ext clients.
[16:37:03] <kenh> SASLprep explicitly prohibits ASCII control characters
in their passwords, but current KDCs support it. Probably is a non-issue.
[16:37:53] <kenh> Consensus is for adding encoding hints to protocol (no
objections)
[16:39:40] <kenh> Out of the people who read extensions, no one has
objections to doc structure.
[16:39:49] <kenh> Doug Engert: Kerberos self-limitations.
[16:40:05] <kenh> Doug: Kerberos too succesfull:
[16:40:23] <kenh> Trust in user's workstation is low (bigger you get,
the smaller the trust)
[16:40:36] <kenh> With single sign-on, total reliance on user's workstation.
[16:40:49] <kenh> Delegated ticket is as good as original.
[16:41:47] <kenh> No black-listing of tickets by KDC, especially with
cross-realm.
[16:42:06] <hartmans> I think host security is the real long-term
solution to this problem
[16:42:15] --- wyllys has left: Disconnected
[16:42:32] <nico-sun> I'd like an authorization data item or binding a
ticket to a host principal
[16:42:33] <hartmans> or stick Kerberos in the TCB
[16:42:43] <kenh> I don't disagree, but that's a really hard problem. We
could provide some better knobs.
[16:42:51] <hartmans> nico: fine, but that requires TCB-level integration
[16:42:57] <nico-sun> in the ticket: the princ name
[16:43:08] <hartmans> kenh: But all the OS vendors are working on it.
[16:43:29] <nico-sun> in the authenticator: another AP-REQ for the bound
princ sing the checksum field to bind that AP-REQ to the outer one
[16:43:40] <kenh> Doug: Conclusions, is that we need more input from the
"real world".
[16:44:10] <kenh> hartmans: they are? How so?
[16:44:12] --- raeburn has left: Disconnected
[16:44:34] <hartmans> Linux is working on selinux; Nico tells me
wonderful things about Solaris 10 every time we talk
[16:44:39] <kenh> tlyu: These are really qualitfy-of-implementations
issues, not so much protocol issues.
[16:44:57] <nico-sun> heh
[16:45:05] <kenh> Ah, I thought you were talking about authorization
knobs, not host security.
[16:45:07] <hartmans> Windows actually does a lot of this already
although default policy is permissive
[16:45:42] <nico-sun> ken: I'm addressing Doug's point about binding to
addresses being useless
[16:45:42] <kenh> Larry Zhu: KDC Referrals
[16:45:50] <hartmans> I don't buy this is Kerberos specific except in so
far as Kerberos actually provides a usable experience so you can get it
working far enough to get compromised
[16:46:15] <kenh> nico: Okay, but I think he meant in practice, not in
theory. In practice, _what we have currently_, they are, IMHO.
[16:46:26] <kenh> But we could certainly have something better.
[16:46:33] <kenh> Larry: Updates
[16:46:54] <kenh> Larry: PA-SERVER-REFERRAL-DATA contains the realm name
for the next TGS Request.
[16:47:01] <hartmans> kenh: Possibly I'm not convinced we could have
something better that provides a good user experience but I'm happy to try
[16:47:09] <kenh> Solution to the GNU FTP problems.
[16:47:32] <kenh> (e.g., Using an alias GNUFTP to request a ticket for
ftp.gnu.org, outside of admin boundary)
[16:48:06] <kenh> Referral data could refer you to the "correct" name.
[16:48:36] <N7DR> Everyone is breaking out the beers here, so er... I
have to leave now...
[16:48:41] <kenh> sam: Oh, I don't know how to create anything better,
I'm just saying it would be nice if therre was such a thing :-)
[16:48:49] --- Eric Rosenfeld has left
[16:48:50] <warlord> see ya, doc
[16:48:51] <kenh> Larry: Open Issues
[16:48:56] --- N7DR has left
[16:49:04] <kenh> Larry: Ticket & referral info mix & match attack
[16:49:07] <hartmans> Ah, but I do know how to make progress on host
security;)
[16:49:18] <kenh> Several Solutions possible
[16:50:00] <kenh> sam: The problem is that if your user base includes
mostly random scientists connecting from poorly-administrated Linux
boxes, your host security problem is VERY hard.
[16:50:13] <kenh> Larry: Several solutions possible (see slides)
[16:50:42] <kenh> Larry: Next steps - call for consensus on the draft
going to last call.
[16:51:06] <kenh> jhutz: Last call is something Doug and I do when we
feel the document is ready ... and we base that on your sense of the
document's readiness.
[16:51:08] --- nov has joined
[16:51:09] --- lha has left: Logged out
[16:51:18] --- lha has joined
[16:51:39] <nico-sun> are we done? looks like it
[16:51:42] <kenh> sam: I think you're not ready; you probably need a few
more reviewers.
[16:52:09] <kenh> jhutz: Please describe your proposals on the mailing
list, so we can get more discussions.
[16:52:14] --- hartmans has left
[16:52:24] --- nico-sun has left
[16:52:46] --- tlyu has left
[16:52:54] <kenh> And the meeting is closed.
[16:53:01] --- nov has left
[16:53:07] --- kenh has left
[16:53:21] --- pbh has left
[16:55:36] --- jas has left
[16:55:44] --- DougEngert has left
[16:55:47] --- lha has left
[16:59:42] --- amelnikov has left
[17:07:47] --- jhutz has left: Disconnected
[17:10:21] --- masahiro has left: Disconnected
[17:13:02] --- jaltman has left: Replaced by new connection
[17:13:25] --- jaltman has joined
[17:15:35] --- warlord has left
[17:17:57] --- masahiro has joined
[17:18:01] --- masahiro has left
[17:18:17] --- Kurt has left: Disconnected
[17:22:53] --- leifj has left
[17:44:18] --- jhutz has joined
[17:47:50] --- wyllys has joined
[17:48:02] --- wyllys has left
[17:48:56] --- jhutz has left
[18:20:55] --- raeburn has joined
[18:25:21] --- jaltman has left: Replaced by new connection
[19:05:45] --- raeburn has left: Disconnected