PKINIT open issues update

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

PKINIT open issues update

Jeffrey Hutzelman
OK folks; it's time to review open issues with PKINIT and get them resolved.
It seems like every time I try to do this, we end up with more new issues,
or with changes to the text other the ones agreed upon to solve issues.
It is costing me a lot of cycles to review this document every time a new
version is submitted to make sure no unexpected changes have crept in.

So, I'm asking the editors to please not make ANY CHANGES AT ALL except to
apply changes agreed to on this mailing list to resolve open issues.  Larry,
that means you MUST NOT add text to the draft reflecting your proposed
solution to an issue until it has been agreed on by the working group.  If
the working group has agreed to specific text, then that text needs to
appear in the document exactly as agreed -- no wordsmithing!  If you feel
the urge to tweak something to make it more readable - DON'T!!!


Now then, on to the issues.  As of this writing, there are 14 open tickets
on PKINIT.  I'm going to go through them one by one; hopefully by the time
I get to the end we'll have a few less, and by the end of the week, we'll
have even fewer.  I want this done already, and so do our AD's...


#501  PKINIT 009 - Update PA types
      The PA types themselves will be reflected in RFC4120.  However, the
      values for AD-INITIAL-VERIFIED-CAS and TD-DH-PARAMETERS are not
      listed there.  I need confirmation from Cliff that these values
      have been reserved for Kerberos.

#529  PKINIT 037 - ASN.1 module inconsistency
      This is a placeholder to make sure we check again during WGLC

#678  MILESTONE - PKINIT WGLC
      Well, we've missed this, now haven't we?

#767  reasons for rejecting a PKINIT client
      The working group agreed some time ago on specific text for this
      issue.  We've been working since February to get the exact text
      into the document.  As of pkinit-25, two paragraphs related to
      local policy were missing, and they are _still_ missing in -26.
      This text was the result of a WG consensus and MUST be restored.

#834  PKINIT AES128?
      What I thought would be relatively simple has turned out to be
      rather complicated.  So far I see no consensus.  I'll be saying
      more on this in an upcoming message.

#839  PKINIT-23 comments: KDC_ERR_KDC_NOT_TRUSTED
      I think we are close to consensus on this one.  I sent a message
      on July 8 asking questions of two individuals; I'm waiting for
      their responses.

#840  Elliptic Curve DH support
      We have a consensus that this should not be in the main document.
      See my message to the mailing list for a more complete discussion
      of how this decision was reached, what it means, and what specific
      changes need to be made to the document.  The required changes will
      also be added to the ticket, which can be closed once the document
      has been updated.

#841  Is AD-INITIAL-VERIFIED-CAS critical?
      CLOSED - we have a consensus, which the document already reflects

#837  pkinit comments: confirming kdc certificates
#842  Certificate path validation
      There has been a lot of discussion on these, but I'm not clear on
      whether we have actually gotten any nearer to a consensus.  I will
      review these tomorrow and post a message then.

#836  What is InitialVerifiedCAs?
#864  What's in a Name - TD-INVALID-CERTIFICATES
#865  What's in a name? - TD-TRUSTED-CERTIFIERS
#866  Definition of TrustedCA
      There has been some discussion but no conclusion.  I have posted
      a proposal to attempt to resolve these tickets.

#1063 Binding the AS-REP with the AS-REQ
      This is a new ticket, describing a potentially serious problem,
      along with a proposed solution.  This must be resolved before the
      document will be considered done.  This issue will be on the
      agenda for IETF63.


Executive Summary:
* Resolved or nearly resolved:
  #501  PKINIT 009 - Update PA types
  #529  PKINIT 037 - ASN.1 module inconsistency
  #678  MILESTONE - PKINIT WGLC
  #767  reasons for rejecting a PKINIT client
  #839  PKINIT-23 comments: KDC_ERR_KDC_NOT_TRUSTED
  #840  Elliptic Curve DH support
  #841  Is AD-INITIAL-VERIFIED-CAS critical?

* Needs more discussions:
  #834  PKINIT AES128?
  #836  What is InitialVerifiedCAs?
  #864  What's in a Name - TD-INVALID-CERTIFICATES
  #865  What's in a name? - TD-TRUSTED-CERTIFIERS
  #866  Definition of TrustedCA
  #1063 binding the AS-REP with the AS-REQ

* Still evaluating
  #837  pkinit comments: confirming kdc certificates
  #842  Certificate path validation