[36558] in Kerberos
Re: No mention of _kerberos TXT in RFCs / but we have DNSSEC now
daemon@ATHENA.MIT.EDU (Rick van Rein)
Sat Oct 18 03:56:35 2014
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <54419500.7040602@secure-endpoints.com>
Date: Sat, 18 Oct 2014 09:55:20 +0200
Message-Id: <FC381283-C7D6-42AE-86F5-4A9B88C0FDB0@openfortress.nl>
To: Jeffrey Altman <jaltman@secure-endpoints.com>
Cc: kerberos@mit.edu, Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: multipart/mixed; boundary="===============0541447809=="
Errors-To: kerberos-bounces@mit.edu
--===============0541447809==
Content-Type: multipart/signed;
boundary="Apple-Mail=_0FB0C2F7-A8A7-4604-8F2F-B4889152D890";
protocol="application/pkcs7-signature"; micalg=sha1
--Apple-Mail=_0FB0C2F7-A8A7-4604-8F2F-B4889152D890
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
Hi Jeffrey,
Thanks!
> Speaking as the other author of draft-ietf-krb-wg-krb-dns-locate-03, I
> have no objection to revisiting the discussion of using TXT records
> Kerberos in order to further reduce the need for client side
> configuration. However, I would be unhappy if the implemented
> "_kerberos.<fqdn>" entry be standardized as-is.
Good to hear. I have been surprised about the current spec also; I had =
also
stumbled on RFC 1464 and didn=92t dare to propose it (since I already =
feel
like I=92m pushy in trying to get TXT back installed). I wholeheartedly =
agree
with your suggestion of
> "v=3D<protocol><version>; [tag=3Dvalue;]+"
>=20
> For Kerberos an initial version describing only the REALM might be:
>=20
> "v=3Dkrb1; r=3DREALM;=94
And with that v=3Dkrb1 you can drop the _kerberos prefix, which I assume
is what you have in mind, right?
A few other design choices I=92ve realised are:
* There might be multiple suggestions of a REALM by placing multiple
TXT records under one name. This can benefit cross-realm =
authentication,
where a remote site may suggest two or three realms to its users, for
which the service name has a key in its keytab.
* We could discuss whether to mention s=3D with a service name as
well. Clients already iterate over guesses of realm names, so they
too could do this, but less efficiently than when directed; especially
for cross-realm applications involving public key crypto this may be
a decisive argument. On the other side, it would release service
availability information in DNS, which may feel improper to some.
On the whole, I=92d say that s=3D should be an optional addition.
* I think walking up along the DNS chain is potentially dangerous,
because it lands up in parent zones. I would prefer to stay within
the realm that holds the FQDN for the service. This is possible;
when a query for TXT under the service=92s FQDN fails, an SOA will
be released, and it incorporates the zone apex, under which the
same TXT could be queried.
> which would permit use to distribute other mandatory configuration in
> the future. However, I could imagine other information being provided
> such as pre-auth hints; and public key information for the realm.
Good point. So, other character strings may be registered for use
with this record, based on a TBD procedure?
> This discussion would be best held on the IETF Kitten mailing list.
Yes. It is currently part of my TLS-KDH proposal, but perhaps it is
better to take it out and make a separate proposal for this, so people
are in a position to add such things as pre-auth hints easily. Shall I
write this as an I-D and post it on Kitten? Or would you want to do
this and/or play an active role in it?
Cheers,
-Rick=
--Apple-Mail=_0FB0C2F7-A8A7-4604-8F2F-B4889152D890
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMgTCCBjQw
ggQcoAMCAQICAR4wDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDE1NVoX
DTE3MTAyNDIxMDE1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMcJg8zOLdgasSmkLhOrlr6KMoOMpohBllVHrdRvEg/q6r8jR+EK
75xCGhR8ToREoqe7zM9/UnC6TS2y9UKTpT1v7RSMzR0t6ndl0TWBuUr/UXBhPk+Kmy7bI4yW4urC
+y7P3/1/X7U8ocb8VpH/Clt+4iq7nirMcNh6qJR+xjOhV+VHzQMALuGYn5KZmc1NbJQYclsGkDxD
z2UbFqE2+6vIZoL+jb9x4Pa5gNf1TwSDkOkikZB1xtB4ZqtXThaABSONdfmv/Z1pua3FYxnCFmdr
/+N2JLKutIxMYqQOJebr/f/h5t95m4JgrM3Y/w7YX9d7YAL9jvN4SydHsU6n65cCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRTcu2SnODaywFc
fH6WNU7y1LhRgjAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBAAqDCH14qywG
XLhjjF6uHLkjd02hcdh9hrw+VUsv+q1eeQWB21jWj3kJ96AUlPCoEGZ/ynJNScWy6QMVQjbbMXlt
UfO4n4bGGdKo3awPWp61tjAFgraLJgDk+DsSvUD6EowjMTNx25GQgyYJ5RPIzKKR9tQW8gGK+2+R
HxkUCTbYFnL6kl8Ch507rUdPPipJ9CgJFws3kDS3gOS5WFMxcjO5DwKfKSETEPrHh7p5shuuNktv
sv6hxHTLhiMKX893gxdT3XLS9OKmCv87vkINQcNEcIIoFWbP9HORz9v3vQwR4e3ksLc2JZOAFK+s
sS5XMEoznzpihEP0PLc4dCBYjbvSD7kxgDwZ+Aj8Q9PkbvE9sIPP7ON0fz095HdThKjiVJe6vofq
+n6b1NBc8XdrQvBmunwxD5nvtTW4vtN6VY7mUCmxsCieuoBJ9OlqmsVWQvifIYf40dJPZkk9YgGT
zWLpXDSfLSplbY2LL9C9U0ptvjcDjefLTvqSFc7tw1sEhF0n/qpA2r0GpvkLRDmcSwVyPvmjFBGq
Up/pNy8ZuPGQmHwFi2/14+xeSUDG2bwnsYJQG2EdJCB6luQ57GEnTA/yKZSTKI8dDQa8Sd3zfXb1
9mOgSF0bBdXbuKhEpuP9wirslFe6fQ1t5j5R0xi72MZ8ikMu1RQZKCyDbMwazlHiMIIGRTCCBS2g
AwIBAgIDCiOPMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD
b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG
A1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwHhcN
MTQwNjAzMTAyMTQ5WhcNMTUwNjA1MDY1MjM3WjBfMRkwFwYDVQQNExBva2gwbFo5Y1R3cGxFbFQx
MR0wGwYDVQQDDBRyaWNrQG9wZW5mb3J0cmVzcy5ubDEjMCEGCSqGSIb3DQEJARYUcmlja0BvcGVu
Zm9ydHJlc3MubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDjVNAIk0mrh8qtmP+M
zF/vBkSPfe2aKhoz0snoQSSuOq4izvQcnZIEVSak8+UGgf+LKHOc+41xNtC8oJtqBdOoA5Oou2eG
e6IXn6KggtZoseuqwxF/d5NwRc70d2Ln/MkoIHZX8/v6w4Lm5qAftdsmZ72U47WBLwgnZ7IGsBCo
sa8Lbctn2YfPz9/F3J1JVlVdiSB70gnww/eyQXXjDmRMNr6za/ZExcqzq2uWY1bc1O6TQOTGJ/2e
3il8sdjs3DFEWj4zMf42w2ecIxTEbv08fDs6IDx1FFd6azMSevJhqD/DAa1bNsnlcFJHY5UmboLH
89dySRszoMabVjCG6RnLAgMBAAGjggLaMIIC1jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFH9o/mhd8ZPTl45mromKyyw/EyJE
MB8GA1UdIwQYMBaAFFNy7ZKc4NrLAVx8fpY1TvLUuFGCMB8GA1UdEQQYMBaBFHJpY2tAb3BlbmZv
cnRyZXNzLm5sMIIBTAYDVR0gBIIBQzCCAT8wggE7BgsrBgEEAYG1NwECAzCCASowLgYIKwYBBQUH
AgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcW
IFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRl
IHdhcyBpc3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWlyZW1l
bnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkgZm9yIHRoZSBpbnRl
bmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlv
bnMuMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydHUxLWNybC5j
cmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNv
bS9zdWIvY2xhc3MxL2NsaWVudC9jYTBCBggrBgEFBQcwAoY2aHR0cDovL2FpYS5zdGFydHNzbC5j
b20vY2VydHMvc3ViLmNsYXNzMS5jbGllbnQuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUFAAOCAQEAbciFwgkJ047+YJuTmCBohfJx6AIx/UZr
Q3Io91fY+beitqV+HXDKjtZnp39ZRl6bH8d/nDoPvR/Ot+0EB40F3IqtmaaC/YR5dBdFqxRw94nh
UnUxqG0a9FsJ+9xpFO0aDI+OazFmzYJKYPhIv7Ftx5MVceh9XMNJiuNmr6pig8dfms4/hHUvMla+
W49nQ4LaX4viXH5VvAnFKYvCI9h6EiyDynmnINIfkx0gN/Ayhlbv/a3oUeypKFYBJ1c/UYS2aA0V
I8bNF3W6DEWZM5fOzhZ5+Q/KiIXso/hZWqEsQS2Nq/8o8HKi70XHEZ3YPqx9KyQa8JED3Z8k/tvG
wGGmyTGCA28wggNrAgEBMIGUMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRk
LjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMv
U3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAwojjzAJBgUr
DgMCGgUAoIIBrzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDEw
MTgwNzU1MjFaMCMGCSqGSIb3DQEJBDEWBBR00DKwlRnhVsXxOCxci7JFAKrNujCBpQYJKwYBBAGC
NxAEMYGXMIGUMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE
CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20g
Q2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAwojjzCBpwYLKoZIhvcNAQkQ
AgsxgZeggZQwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL
EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD
bGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQIDCiOPMA0GCSqGSIb3DQEBAQUA
BIIBAHyrWiCgyCQhwTmw033YL4HI++xO05uvCEPQtDEhC5+4W/2BzALrZyBaaKOUiTLBoSZzaQyG
TX+fx+fjqQLqBseIlE2KADRevaTYULHExQylkNxphP06OpYRICHqr9T6g7fx69C3N5ei7roGvEQs
RjkRzVqJwNkNXmJoB9fAuqvFEcZb+4kCDZ0HhMs3GGHKA4uz+bZeXIawAXnxNyFi81js2FBPv3BY
FSNsc2e/u6lYjUqJ5OqqygfNd/ZjahWddQY4tSFepBUMq3np4xMHgWuHcAIUH/dvUDU85GzjkB50
oRFKEGsOPKmICyKODpK9A+q9oqdBZ5FOkqNWQlzitXsAAAAAAAA=
--Apple-Mail=_0FB0C2F7-A8A7-4604-8F2F-B4889152D890--
--===============0541447809==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0541447809==--
