[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for Initial Authentication in Kerberos
If it isn't too late to fix this without breaking lots of
implementations, the ASN.1 in this specification is over-tagged. In
section 3.2.1, all three of the tags in PA-PK-AS-REQ are unnecessary, and
the one on signedAuthPack is actually slightly harmful. None of the tags
in PKAuthenticator do any good either. The OCTET STRING wrappings for
subjectName and issuerAndSerialNumber are not really appropriate, and
subjectName doesn't need a tag. Even in AuthPack, pkAuthenticator and
clientDHNonce don't need tags.
Similarly, in 3.2.3, there is no reason for any of the tags in
PA-PK-AS-REP, DHRepInfo, or KDCDHKeyInfo. The tags in ReplyKeyPack in
3.2.3.2 also seem unnecessary.
Tom Gindin
P.S. - The opinions above are mine, and not necessarily those of my
employer.
Sam Hartman <hartmans-ietf@xxxxxxx>
Sent by: owner-ietf-pkix@xxxxxxxxxxxx
10/28/2005 09:12 AM
To: ietf-pkix@xxxxxxx
cc: jhutz@xxxxxxx
Subject: [Jeffrey Hutzelman] LAST CALL - Public Key
Cryptography for Initial Authentication in Kerberos
Hi. The Kerberos working group has started a last call on the pkinit
draft. Pkinit is a mechanism for acquiring kerberos tickets based on
knowledge of a private key. It also supports and is typically used
with a PKI.
I'd appreciate any review that members of the pkix working group can
provide on this document.
----- Message from Unknown on Unknown -----
solipsist-nation ([unix socket]) by solipsist-nation (Cyrus
v2.1.16-IPv6-Debian-2.1.16-10) with LMTP; Sun, 23 Oct 2005 22:07:31
-0400 X-Sieve: CMU Sieve 2.2 Return-Path:
<owner-ietf-krb-wg-outgoing@xxxxxxx> Received: from
south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client
certificate requested) by suchdamage.org (Postfix) with ESMTP id
9BDFA1383E for <hartmans@xxxxxxxxxxxxxx>; Sun, 23 Oct 2005 22:07:24
-0400 (EDT) Received: from pacific-carrier-annex.mit.edu
(PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by
south-station-annex.mit.edu (8.12.4/8.9.2) with ESMTP id
j9O27MkZ012927 for <hartmans@xxxxxxxxxxxxxx>; Sun, 23 Oct 2005
22:07:22 -0400 (EDT) Received: from mailhost.anl.gov (mailhost.anl.gov
[130.202.113.50]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with
ESMTP id j9O26Emq005270; Sun, 23 Oct 2005 22:06:14 -0400 (EDT)
Received: by mailhost.anl.gov (Postfix) id 18622286; Sun, 23 Oct 2005
21:06:13 -0500 (CDT) Delivered-To: ietf-krb-wg-outgoing@xxxxxxx
Received: from mailhost.anl.gov (localhost [127.0.0.1]) by
localhost.ctd.anl.gov (Postfix) with ESMTP id E87EA26D for
<ietf-krb-wg-outgoing@xxxxxxx>; Sun, 23 Oct 2005 21:06:12 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix, from userid 10733) id
D6987286; Sun, 23 Oct 2005 21:06:12 -0500 (CDT) X-Original-To:
ietf-krb-wg@xxxxxxx Delivered-To: ietf-krb-wg@xxxxxxx Received: from
mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov
(Postfix) with ESMTP id 5D96227F for <ietf-krb-wg@xxxxxxx>; Sun, 23
Oct 2005 21:06:12 -0500 (CDT) Received: from mailrelay.anl.gov
(mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix)
with ESMTP id 4C9D526D for <ietf-krb-wg@xxxxxxx>; Sun, 23 Oct 2005
21:06:12 -0500 (CDT) Received: from mailrelay.anl.gov (localhost
[127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id
D63D05F0D5B; Sun, 23 Oct 2005 21:06:11 -0500 (CDT) Received: from
currant.srv.cs.cmu.edu (CURRANT.SRV.CS.CMU.EDU [128.2.194.193]) by
mailrelay.anl.gov (Postfix) with SMTP id 7F1595F0D5A for
<ietf-krb-wg@xxxxxxx>; Sun, 23 Oct 2005 21:06:11 -0500 (CDT) Received:
from CRUNCHBERRY.SRV.CS.CMU.EDU ([128.2.203.75]) by
currant.srv.cs.cmu.edu id aa18518; 23 Oct 2005 22:06 EDT Received:
from jhutz-dyn0.pc.cs.cmu.edu
(IDENT:U2FsdGVkX1+t+NgCyV0xi/qQraCNyY7Gmr6mlG7xV3U@xxxxxxxxxxxxxxxxxxxxxxxx
[128.2.200.136]) (authenticated bits=0) by crunchberry.srv.cs.cmu.edu
(8.13.4/8.13.4) with ESMTP id j9O264gX002260 (version=TLSv1/SSLv3
cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 23 Oct 2005
22:06:05 -0400 (EDT) Date: Sun, 23 Oct 2005 22:06:00 -0400 From:
Jeffrey Hutzelman <jhutz@xxxxxxx> To: ietf-krb-wg@xxxxxxx Cc: Jeffrey
Hutzelman <jhutz@xxxxxxx> Subject: LAST CALL - Public Key Cryptography
for Initial Authentication in Kerberos Message-ID:
<6F5E31C582712026A72741F6@xxxxxxxxxxxxxxxxxxxxxxxx> Originator-Info:
login-token=Mulberry:01ouPFOwxLOq/uLj281WH1qjlV/GYpFz4PWPOg2GM=;
token_authority=postmaster@xxxxxxxxxxxxxx X-Mailer: Mulberry/3.1.6
(Linux/x86) Sender: owner-ietf-krb-wg@xxxxxxxxxxxxxxxx Precedence:
bulk X-Scanned-By: MIMEDefang 2.42 X-Spam-Checker-Version:
SpamAssassin 3.0.2 (2004-11-16) on solipsist-nation.suchdamage.org
X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0
tests=AWL,BAYES_00 autolearn=ham version=3.0.2
MIME-Version: 1.0
At long last...
As of October 23, 2005, I am beginning a two-week Last Call period
on the following document:
Title : Public Key Cryptography
for
Initial Authentication in Kerberos
Author(s) : B. Tung, L. Zhu
Filename :
draft-ietf-cat-kerberos-pk-init-29.txt
Pages : 36
Date : 2005-10-21
Comments on this document should be sent to the Kerberos Working Group
mailing list, ietf-krb-wg@xxxxxxx, and will be accepted at least until
11:59pm EST on November 6, 2005. All issues raised will be entered
into the Request Tracker system at https://rt.psg.com/.
Once the Last Call period has ended, I will make a determination as to
whether there remain any unresolved issue, and whether there is a rough
consensus withing the working group to send this document to the IESG for
publication as a Proposed Standard.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@xxxxxxx>
Chair, IETF Kerberos Working Group
Carnegie Mellon University - Pittsburgh, PA