From wyllys.ingersoll at sun.com Wed Apr 9 14:30:17 2003 From: wyllys.ingersoll at sun.com (Wyllys Ingersoll) Date: Wed, 09 Apr 2003 14:30:17 -0400 Subject: [Kdc-info] kdc-info meeting at ietf56 In-Reply-To: References: Message-ID: <3E9466B9.7080009@sun.com> So, its been a while since IETF, so I just would like to ping the list to see about getting some progress on this document before the Summer meeting. In our discussions in SF, did we decide that the policy information should be included in the info model or not? -Wyllys Ken Raeburn wrote: > Some random notes here, written up from memory after the meeting, > since we didn't think to have anyone take notes during it. Feel free > to supply any corrections or missing details. > > We had about eight or nine of us: me, Leif, Wyllys, Mortezza, Kurt > Zeilenga, Bob Morgan, Bob Joslin, and I know I'm forgetting (or didn't > catch) one or two other names; sorry about that. We hadn't heard > anything from Donna, and assumed she wasn't around. So we went to > find some space to talk for a while. > > There was some discussion on administrative information model > specification versus KDC implementation details, and how we're > intentionally ignoring the latter for now. > > We discussed minimal versus more comprehensive information models. > After concluding that a minimal model could leave out nearly > everything (e.g., principal expiration times may not be required, if > you can simply delete them; ticket lifetime limits may not be > important if your implementation always use short lifetimes), and > wouldn't be very useful at all, we started discussing what sort of > things might be in a more comprehensive model. (As I recall, at the > last IETF, with a few more people involved, we had decided to start > working on a minimal useful model, though I don't recall the specific > arguments. So I'm not convinced this new direction is necessarily > good.) > > How should the realm be figured into the information model? > > Kurt brought up the point that in an LDAP schema, information may be > distributed or may be per-server. The MIT model, at least, assumes > everything is fully replicated from the master to the slave KDCs, and > nothing is updated by the slaves in normal usage. This will be a more > interesting issue when we go from the information model to a schema. > > Leif will start on a rough list of concepts from the various Kerberos > implementations, and send it to the list for further input. > > Ken will review the LDAP password-modify and password-policy documents > and see how well they match what we're doing or what we need in > Kerberos. > > Ken > _______________________________________________ > kdc-info mailing list > kdc-info at mit.edu > http://mailman.mit.edu/mailman/listinfo/kdc-info From leifj at it.su.se Wed Apr 9 13:43:05 2003 From: leifj at it.su.se (Leif Johansson) Date: Wed, 09 Apr 2003 19:43:05 +0200 Subject: [Kdc-info] kdc-info meeting at ietf56 In-Reply-To: <3E9466B9.7080009@sun.com> References: <3E9466B9.7080009@sun.com> Message-ID: <3E945BA9.2080602@it.su.se> Wyllys Ingersoll wrote: > > So, its been a while since IETF, so I just would like to > ping the list to see about getting some progress on this > document before the Summer meeting. I was just thinking that myself... > > In our discussions in SF, did we decide that the policy > information should be included in the info model or not? > > -Wyllys > Yes I believe that the plan was to build a "full" information-model. This is a first list of concepts as far as I can tell. * realm * principal * keyset/key -- there may be extra data associated with keys in revisions; right? * policy * password-policy * ?? At this level of "abstraction" would you agree that this is a reasonable complete list? leifj From leifj at it.su.se Thu Apr 17 01:58:57 2003 From: leifj at it.su.se (Leif Johansson) Date: Thu, 17 Apr 2003 07:58:57 +0200 Subject: [Kdc-info] kdc-info meeting at ietf56 In-Reply-To: <3E945BA9.2080602@it.su.se> References: <3E9466B9.7080009@sun.com> <3E945BA9.2080602@it.su.se> Message-ID: <3E9E42A1.6030503@it.su.se> Leif Johansson wrote: > Wyllys Ingersoll wrote: > >> >> So, its been a while since IETF, so I just would like to >> ping the list to see about getting some progress on this >> document before the Summer meeting. > > > I was just thinking that myself... > >> >> In our discussions in SF, did we decide that the policy >> information should be included in the info model or not? >> >> -Wyllys >> > Yes I believe that the plan was to build a "full" information-model. > This is > a first list of concepts as far as I can tell. > > * realm > * principal > * keyset/key > -- there may be extra data associated with keys in revisions; > right? > * policy > * password-policy > * ?? > > At this level of "abstraction" would you agree that this is a reasonable > complete list? > leifj > Any comments on this? I am especially looking for input on two points: 1. Is there other policy besideds "password policy"? 2. Extra data associated with keys? What are the requirements from clarifications? From wyllys.ingersoll at sun.com Thu Apr 17 17:12:36 2003 From: wyllys.ingersoll at sun.com (Wyllys Ingersoll) Date: Thu, 17 Apr 2003 17:12:36 -0400 Subject: [Kdc-info] kdc-info meeting at ietf56 In-Reply-To: <3E9E42A1.6030503@it.su.se> References: <3E9466B9.7080009@sun.com> <3E945BA9.2080602@it.su.se> <3E9E42A1.6030503@it.su.se> Message-ID: <3E9F18C4.2090405@sun.com> Leif Johansson wrote: > Leif Johansson wrote: > >> Wyllys Ingersoll wrote: >> >>> >>> So, its been a while since IETF, so I just would like to >>> ping the list to see about getting some progress on this >>> document before the Summer meeting. >> >> >> >> I was just thinking that myself... >> >>> >>> In our discussions in SF, did we decide that the policy >>> information should be included in the info model or not? >>> >>> -Wyllys >>> >> Yes I believe that the plan was to build a "full" information-model. >> This is >> a first list of concepts as far as I can tell. >> >> * realm >> * principal >> * keyset/key >> -- there may be extra data associated with keys in revisions; >> right? >> * policy >> * password-policy >> * ?? >> >> At this level of "abstraction" would you agree that this is a reasonable >> complete list? >> leifj >> > Any comments on this? I am especially looking for input on two points: > > 1. Is there other policy besideds "password policy"? I believe MIT only supports password policies for now. What about the kadm5.acl file? Are ACL's something to consider for inclusion? > 2. Extra data associated with keys? What are the requirements from > clarifications? Whatever is included in the definition of a key, I suppose. Perhaps someone else would elaborate. -Wyllys From towusu at us.ibm.com Fri Apr 18 08:39:03 2003 From: towusu at us.ibm.com (Thomas Owusu) Date: Fri, 18 Apr 2003 07:39:03 -0500 Subject: [Kdc-info] kdc-info meeting at ietf56 Message-ID: Some existing LDAP schemas/implementations include ticket and account attributes in addition to the password attributes you'd find in MIT implementation. --- Thomas Owusu towusu at us.ibm.com 512.436.9835 Wyllys Ingersoll Sent by: kdc-info-bounces at mit.edu 04/17/2003 04:12 PM To: Leif Johansson cc: kdc-info at mit.edu Subject: Re: [Kdc-info] kdc-info meeting at ietf56 Leif Johansson wrote: > Leif Johansson wrote: > >> Wyllys Ingersoll wrote: >> >>> >>> So, its been a while since IETF, so I just would like to >>> ping the list to see about getting some progress on this >>> document before the Summer meeting. >> >> >> >> I was just thinking that myself... >> >>> >>> In our discussions in SF, did we decide that the policy >>> information should be included in the info model or not? >>> >>> -Wyllys >>> >> Yes I believe that the plan was to build a "full" information-model. >> This is >> a first list of concepts as far as I can tell. >> >> * realm >> * principal >> * keyset/key >> -- there may be extra data associated with keys in revisions; >> right? >> * policy >> * password-policy >> * ?? >> >> At this level of "abstraction" would you agree that this is a reasonable >> complete list? >> leifj >> > Any comments on this? I am especially looking for input on two points: > > 1. Is there other policy besideds "password policy"? I believe MIT only supports password policies for now. What about the kadm5.acl file? Are ACL's something to consider for inclusion? > 2. Extra data associated with keys? What are the requirements from > clarifications? Whatever is included in the definition of a key, I suppose. Perhaps someone else would elaborate. -Wyllys _______________________________________________ kdc-info mailing list kdc-info at mit.edu http://mailman.mit.edu/mailman/listinfo/kdc-info -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.mit.edu/pipermail/kdc-info/attachments/20030418/4436a4de/attachment.htm From leifj at it.su.se Fri Apr 18 12:19:06 2003 From: leifj at it.su.se (Leif Johansson) Date: Fri, 18 Apr 2003 18:19:06 +0200 Subject: [Kdc-info] kdc-info meeting at ietf56 In-Reply-To: References: Message-ID: <3EA0257A.9020703@it.su.se> Thomas Owusu wrote: > > Some existing LDAP schemas/implementations include ticket and account > attributes > in addition to the password attributes you'd find in MIT implementation. > Could you give an example? From towusu at us.ibm.com Mon Apr 21 11:04:29 2003 From: towusu at us.ibm.com (Thomas Owusu) Date: Mon, 21 Apr 2003 10:04:29 -0500 Subject: [Kdc-info] kdc-info meeting at ietf56 Message-ID: See http://www.ietf.org/internet-drafts/draft-skibbie-krb-kdc-ldap-schema-02.txt. Look for KrbPolicy, the object class for policy. --- Thomas Owusu towusu at us.ibm.com 512.436.9835 Leif Johansson Sent by: kdc-info-bounces at mit.edu 04/18/2003 11:19 AM To: Thomas Owusu/Austin/Contr/IBM at IBMUS cc: kdc-info-bounces at mit.edu, Wyllys Ingersoll , kdc-info at mit.edu Subject: Re: [Kdc-info] kdc-info meeting at ietf56 Thomas Owusu wrote: > > Some existing LDAP schemas/implementations include ticket and account > attributes > in addition to the password attributes you'd find in MIT implementation. > Could you give an example? _______________________________________________ kdc-info mailing list kdc-info at mit.edu http://mailman.mit.edu/mailman/listinfo/kdc-info -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.mit.edu/pipermail/kdc-info/attachments/20030421/2be30e72/attachment.htm From raeburn at MIT.EDU Mon Apr 21 16:48:55 2003 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 21 Apr 2003 16:48:55 -0400 Subject: [Kdc-info] list addresses In-Reply-To: (Thomas Owusu's message of "Fri, 18 Apr 2003 07:39:03 -0500") References: Message-ID: Please don't include "kdc-info-bounces" on the recipient list. That address is used as the envelope sender and errors-to addresses to automatically detect failed delivery. Every normal list message sent to that address winds up in my mailbox with a note saying that the list software didn't recognize the bounce message format.... Ken