[kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)

Kathleen Moriarty
Kathleen Moriarty has entered the following ballot position for
draft-ietf-kitten-pkinit-freshness-07: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-kitten-pkinit-freshness/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Holding a discuss until the Gen-art conversation on minimum size of the
fressness token resolves.  Will switch to a yes once that is resolved.
https://www.ietf.org/mail-archive/web/gen-art/current/msg13942.html




_______________________________________________
Kitten mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/kitten
Reply | Threaded
Open this post in threaded view
|

Re: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)

Stephen Farrell

Hi Kathleen, Kitten-WG:

I read the thread on this and I think a suggestion made
on the kitten list [1] by Greg Hudson ought work to
address the valid concern that a too-short or predictable
freshness token could be abused.

The suggestion was to add a new paragraph to the security
considerations saying:

"If freshness tokens sent by the KDC are too short or too
predictable, an attacker may be able to defeat the mechanism
by creating signatures using every possible token value.
To prevent this attack, the freshness token SHOULD contain
a minimum of 64 unpredictable bits."

If that works, I can add an RFC editor note to that effect
or the authors can fire out a new draft.

Greg also said: "I am willing to accept an amendment changing
64 to 96 or 128.  It's a SHOULD, so it doesn't really constrain
the implementation." And I agree that any of those numbers
would likely be fine.

So:

Kathleen - do you think that'd be sufficient to resolve your
discuss? If not, what would work?

(If the above is good enough to get the discuss cleared, then
I'll ask for opinions from the WG as to whether there are any
issues with it. But please hold off for now until we see if
Kathleen is ok with this resolution.)

Thanks,
S.

PS: Be nice to get this sorted before the holidays:-)

[1] https://www.ietf.org/mail-archive/web/kitten/current/msg06199.html

On 30/11/16 02:21, Kathleen Moriarty wrote:

> Kathleen Moriarty has entered the following ballot position for
> draft-ietf-kitten-pkinit-freshness-07: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-kitten-pkinit-freshness/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Holding a discuss until the Gen-art conversation on minimum size of the
> fressness token resolves.  Will switch to a yes once that is resolved.
> https://www.ietf.org/mail-archive/web/gen-art/current/msg13942.html
>
>
>
>
> _______________________________________________
> Kitten mailing list
> [hidden email]
> https://www.ietf.org/mailman/listinfo/kitten
>

_______________________________________________
Kitten mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/kitten

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)

Kathleen Moriarty
Hi Stephen, 

Thanks for digging into this.  Inline.

On Tue, Dec 20, 2016 at 11:58 AM, Stephen Farrell <[hidden email]> wrote:

Hi Kathleen, Kitten-WG:

I read the thread on this and I think a suggestion made
on the kitten list [1] by Greg Hudson ought work to
address the valid concern that a too-short or predictable
freshness token could be abused.

The suggestion was to add a new paragraph to the security
considerations saying:

"If freshness tokens sent by the KDC are too short or too
predictable, an attacker may be able to defeat the mechanism
by creating signatures using every possible token value.
To prevent this attack, the freshness token SHOULD contain
a minimum of 64 unpredictable bits."


Yes, that works for me, thanks.
 
If that works, I can add an RFC editor note to that effect
or the authors can fire out a new draft.

Greg also said: "I am willing to accept an amendment changing
64 to 96 or 128.  It's a SHOULD, so it doesn't really constrain
the implementation." And I agree that any of those numbers
would likely be fine.

So:

Kathleen - do you think that'd be sufficient to resolve your
discuss? If not, what would work?

(If the above is good enough to get the discuss cleared, then
I'll ask for opinions from the WG as to whether there are any
issues with it. But please hold off for now until we see if
Kathleen is ok with this resolution.)


Please let me know if the WG agrees or next steps.

Thank you,
Kathleen
 
Thanks,
S.

PS: Be nice to get this sorted before the holidays:-)

[1] https://www.ietf.org/mail-archive/web/kitten/current/msg06199.html

On 30/11/16 02:21, Kathleen Moriarty wrote:
> Kathleen Moriarty has entered the following ballot position for
> draft-ietf-kitten-pkinit-freshness-07: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-kitten-pkinit-freshness/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Holding a discuss until the Gen-art conversation on minimum size of the
> fressness token resolves.  Will switch to a yes once that is resolved.
> https://www.ietf.org/mail-archive/web/gen-art/current/msg13942.html
>
>
>
>
> _______________________________________________
> Kitten mailing list
> [hidden email]
> https://www.ietf.org/mailman/listinfo/kitten
>




--

Best regards,
Kathleen

_______________________________________________
Kitten mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/kitten
Reply | Threaded
Open this post in threaded view
|

Re: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)

Stephen Farrell

Hiya,

On 20/12/16 19:43, Kathleen Moriarty wrote:

> Hi Stephen,
>
> Thanks for digging into this.  Inline.
>
> On Tue, Dec 20, 2016 at 11:58 AM, Stephen Farrell <[hidden email]
>> wrote:
>
>>
>> Hi Kathleen, Kitten-WG:
>>
>> I read the thread on this and I think a suggestion made
>> on the kitten list [1] by Greg Hudson ought work to
>> address the valid concern that a too-short or predictable
>> freshness token could be abused.
>>
>> The suggestion was to add a new paragraph to the security
>> considerations saying:
>>
>> "If freshness tokens sent by the KDC are too short or too
>> predictable, an attacker may be able to defeat the mechanism
>> by creating signatures using every possible token value.
>> To prevent this attack, the freshness token SHOULD contain
>> a minimum of 64 unpredictable bits."
>>
>>
> Yes, that works for me, thanks.
>
Great. So are the authors/chairs/WG ok with adding that
too? If nobody objects I'll add the RFC editor note
tomorrow and we can go from there. (There'll still be
plent of time for later objections if this is somehow
a horrible thing, but I can't see how that'd be the
case at all:-)

All going well, Kathleen can clear her discuss then
and we can give this one to the RFC editor as a very
slightly early holiday present.

Cheers,
S.

>
>> If that works, I can add an RFC editor note to that effect
>> or the authors can fire out a new draft.
>>
>> Greg also said: "I am willing to accept an amendment changing
>> 64 to 96 or 128.  It's a SHOULD, so it doesn't really constrain
>> the implementation." And I agree that any of those numbers
>> would likely be fine.
>>
>> So:
>>
>> Kathleen - do you think that'd be sufficient to resolve your
>> discuss? If not, what would work?
>>
>> (If the above is good enough to get the discuss cleared, then
>> I'll ask for opinions from the WG as to whether there are any
>> issues with it. But please hold off for now until we see if
>> Kathleen is ok with this resolution.)
>>
>>
> Please let me know if the WG agrees or next steps.
>
> Thank you,
> Kathleen
>
>
>> Thanks,
>> S.
>>
>> PS: Be nice to get this sorted before the holidays:-)
>>
>> [1] https://www.ietf.org/mail-archive/web/kitten/current/msg06199.html
>>
>> On 30/11/16 02:21, Kathleen Moriarty wrote:
>>> Kathleen Moriarty has entered the following ballot position for
>>> draft-ietf-kitten-pkinit-freshness-07: Discuss
>>>
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>>
>>>
>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.
>> html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>>
>>>
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-ietf-kitten-pkinit-freshness/
>>>
>>>
>>>
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>>
>>> Holding a discuss until the Gen-art conversation on minimum size of the
>>> fressness token resolves.  Will switch to a yes once that is resolved.
>>> https://www.ietf.org/mail-archive/web/gen-art/current/msg13942.html
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Kitten mailing list
>>> [hidden email]
>>> https://www.ietf.org/mailman/listinfo/kitten
>>>
>>
>>
>
>

_______________________________________________
Kitten mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/kitten

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)

Michiko Short
Works for me. Please proceed.
-Mich

-----Original Message-----
From: Stephen Farrell [mailto:[hidden email]]
Sent: Tuesday, December 20, 2016 12:18 PM
To: Kathleen Moriarty <[hidden email]>
Cc: [hidden email]; [hidden email]; [hidden email]; The IESG <[hidden email]>; [hidden email]
Subject: Re: [kitten] Kathleen Moriarty's Discuss on draft-ietf-kitten-pkinit-freshness-07: (with DISCUSS)


Hiya,

On 20/12/16 19:43, Kathleen Moriarty wrote:

> Hi Stephen,
>
> Thanks for digging into this.  Inline.
>
> On Tue, Dec 20, 2016 at 11:58 AM, Stephen Farrell <[hidden email]
>> wrote:
>
>>
>> Hi Kathleen, Kitten-WG:
>>
>> I read the thread on this and I think a suggestion made
>> on the kitten list [1] by Greg Hudson ought work to
>> address the valid concern that a too-short or predictable
>> freshness token could be abused.
>>
>> The suggestion was to add a new paragraph to the security
>> considerations saying:
>>
>> "If freshness tokens sent by the KDC are too short or too
>> predictable, an attacker may be able to defeat the mechanism
>> by creating signatures using every possible token value.
>> To prevent this attack, the freshness token SHOULD contain
>> a minimum of 64 unpredictable bits."
>>
>>
> Yes, that works for me, thanks.
>

Great. So are the authors/chairs/WG ok with adding that
too? If nobody objects I'll add the RFC editor note
tomorrow and we can go from there. (There'll still be
plent of time for later objections if this is somehow
a horrible thing, but I can't see how that'd be the
case at all:-)

All going well, Kathleen can clear her discuss then
and we can give this one to the RFC editor as a very
slightly early holiday present.

Cheers,
S.

>
>> If that works, I can add an RFC editor note to that effect
>> or the authors can fire out a new draft.
>>
>> Greg also said: "I am willing to accept an amendment changing
>> 64 to 96 or 128.  It's a SHOULD, so it doesn't really constrain
>> the implementation." And I agree that any of those numbers
>> would likely be fine.
>>
>> So:
>>
>> Kathleen - do you think that'd be sufficient to resolve your
>> discuss? If not, what would work?
>>
>> (If the above is good enough to get the discuss cleared, then
>> I'll ask for opinions from the WG as to whether there are any
>> issues with it. But please hold off for now until we see if
>> Kathleen is ok with this resolution.)
>>
>>
> Please let me know if the WG agrees or next steps.
>
> Thank you,
> Kathleen
>
>
>> Thanks,
>> S.
>>
>> PS: Be nice to get this sorted before the holidays:-)
>>
>> [1] https://www.ietf.org/mail-archive/web/kitten/current/msg06199.html
>>
>> On 30/11/16 02:21, Kathleen Moriarty wrote:
>>> Kathleen Moriarty has entered the following ballot position for
>>> draft-ietf-kitten-pkinit-freshness-07: Discuss
>>>
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>>
>>>
>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.
>> html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>>
>>>
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-ietf-kitten-pkinit-freshness/
>>>
>>>
>>>
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>>
>>> Holding a discuss until the Gen-art conversation on minimum size of the
>>> fressness token resolves.  Will switch to a yes once that is resolved.
>>> https://www.ietf.org/mail-archive/web/gen-art/current/msg13942.html
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Kitten mailing list
>>> [hidden email]
>>> https://www.ietf.org/mailman/listinfo/kitten
>>>
>>
>>
>
>

_______________________________________________
Kitten mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/kitten