From bob.joslin at hp.com Wed Jul 2 18:43:04 2003 From: bob.joslin at hp.com (Bob Joslin) Date: Wed, 2 Jul 2003 15:43:04 -0700 Subject: [Kdc-info] Info Model? Message-ID: I recall that I saw a mesage from Leif that contained the info model draft. But scanning my emails and the list does not produce anything. Either I was dreaming, or I'm blind. Leif, did you post your draft yet? BTW, Sherman Wu, from HP, will be in Vienna from our team . If you do work out a BOF, I mentioned that it's likely scheduling/location details would be posted to kdc-info or kdc-schema. Could someone do that in case a meeting is set up? Thanks, Bob From leifj at it.su.se Thu Jul 3 02:15:05 2003 From: leifj at it.su.se (Leif Johansson) Date: Thu, 03 Jul 2003 08:15:05 +0200 Subject: [Kdc-info] Info Model? In-Reply-To: References: Message-ID: <3F03C9E9.1030202@it.su.se> Bob Joslin wrote: >I recall that I saw a mesage from Leif that contained the info model draft. >But scanning my emails and the list does not produce anything. Either I was >dreaming, or I'm blind. Leif, did you post your draft yet? > >BTW, Sherman Wu, from HP, will be in Vienna from our team . If you do work >out a BOF, I mentioned that it's likely scheduling/location details would be >posted to kdc-info or kdc-schema. Could someone do that in case a meeting >is set up? > >Thanks, > >Bob > > > Hmm... I think I must have missed the crucial step somewhere. The draft will follow this message. I suggest a bar-bof. Does anyone have enough of a grip on the agenda to suggest a time? Cheers Leif From leifj at it.su.se Thu Jul 3 02:23:27 2003 From: leifj at it.su.se (Leif Johansson) Date: Thu, 03 Jul 2003 08:23:27 +0200 Subject: [Kdc-info] prelim draft of kdc information model Message-ID: <3F03CBDF.3080201@it.su.se> This is a first draft of the information model draft as discussed in SF. The draft missed the -00 cutoff. Hopefully there will be an offline meeting about this in Wienna (details will be posted on kdc-info at mit.edu and kdc-schema at mit.edu). I am prepared to give a short summary on the progress of this work at the wg meeting if there is enough interest. /leifj -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: draft-ietf-johansson-krb-model-00.txt Url: http://mailman.mit.edu/pipermail/kdc-info/attachments/20030703/3c825286/attachment.txt From Morteza.Ansari at sun.com Sun Jul 6 23:37:09 2003 From: Morteza.Ansari at sun.com (Morteza Ansari) Date: Sun, 06 Jul 2003 20:37:09 -0700 Subject: [kdc-schema] Re: [Kdc-info] Info Model? References: <3F03C9E9.1030202@it.su.se> Message-ID: <3F08EAE5.1BE6AC32@sun.com> Leif Johansson wrote: > > Bob Joslin wrote: > > >I recall that I saw a mesage from Leif that contained the info model draft. > >But scanning my emails and the list does not produce anything. Either I was > >dreaming, or I'm blind. Leif, did you post your draft yet? > > > >BTW, Sherman Wu, from HP, will be in Vienna from our team . If you do work > >out a BOF, I mentioned that it's likely scheduling/location details would be > >posted to kdc-info or kdc-schema. Could someone do that in case a meeting > >is set up? > > > >Thanks, > > > >Bob > > > > > > > Hmm... I think I must have missed the crucial step somewhere. The draft > will follow > this message. I suggest a bar-bof. Does anyone have enough of a grip on > the agenda to > suggest a time? How about Monday evening? Just to throw a time, how about 8pm? I am personally free after 5:30, so pretty much anytime Monday night would do for me. Cheers, Morteza From leifj at it.su.se Mon Jul 7 04:56:35 2003 From: leifj at it.su.se (Leif Johansson) Date: Mon, 07 Jul 2003 10:56:35 +0200 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: <3F08EAE5.1BE6AC32@sun.com> References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> Message-ID: <3F0935C3.7090707@it.su.se> Morteza Ansari wrote: >How about Monday evening? Just to throw a time, how about 8pm? I am >personally free after 5:30, so pretty much anytime Monday night would do >for me. > > >Cheers, >Morteza > > The ipv6 wg is meeting after dinner so that won't work for me. How about Tuesday after the krb-wg? or is everyone going to the social event? Cheers leifj From Morteza.Ansari at sun.com Mon Jul 7 05:19:35 2003 From: Morteza.Ansari at sun.com (Morteza Ansari) Date: Mon, 07 Jul 2003 02:19:35 -0700 Subject: [kdc-schema] Re: [Kdc-info] Info Model? References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> <3F0935C3.7090707@it.su.se> Message-ID: <3F093B27.219E0C5D@sun.com> Leif Johansson wrote: > > Morteza Ansari wrote: > > >How about Monday evening? Just to throw a time, how about 8pm? I am > >personally free after 5:30, so pretty much anytime Monday night would do > >for me. > > > > > >Cheers, > >Morteza > > > > > The ipv6 wg is meeting after dinner so that won't work for me. How about > Tuesday > after the krb-wg? or is everyone going to the social event? Tuesday night works for me. Cheers, Morteza From wyllys.ingersoll at sun.com Mon Jul 7 09:01:09 2003 From: wyllys.ingersoll at sun.com (Wyllys Ingersoll) Date: Mon, 07 Jul 2003 09:01:09 -0400 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: <3F08EAE5.1BE6AC32@sun.com> References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> Message-ID: <3F096F15.5080003@sun.com> Monday night works for me. -Wyllys Morteza Ansari wrote: > Leif Johansson wrote: > >>Bob Joslin wrote: >> >> >>>I recall that I saw a mesage from Leif that contained the info model draft. >>>But scanning my emails and the list does not produce anything. Either I was >>>dreaming, or I'm blind. Leif, did you post your draft yet? >>> >>>BTW, Sherman Wu, from HP, will be in Vienna from our team . If you do work >>>out a BOF, I mentioned that it's likely scheduling/location details would be >>>posted to kdc-info or kdc-schema. Could someone do that in case a meeting >>>is set up? >>> >>>Thanks, >>> >>>Bob >>> >>> >>> >> >>Hmm... I think I must have missed the crucial step somewhere. The draft >>will follow >>this message. I suggest a bar-bof. Does anyone have enough of a grip on >>the agenda to >>suggest a time? > > > How about Monday evening? Just to throw a time, how about 8pm? I am > personally free after 5:30, so pretty much anytime Monday night would do > for me. > > > Cheers, > Morteza > _______________________________________________ > kdc-schema mailing list > kdc-schema at mit.edu > http://mailman.mit.edu/mailman/listinfo/kdc-schema From leifj at it.su.se Mon Jul 7 10:20:51 2003 From: leifj at it.su.se (Leif Johansson) Date: Mon, 07 Jul 2003 16:20:51 +0200 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: <3F096F15.5080003@sun.com> References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> <3F096F15.5080003@sun.com> Message-ID: <3F0981C3.7000204@it.su.se> Wyllys Ingersoll wrote: > > Monday night works for me. > How about tuesday? Cheers Leif From wyllys.ingersoll at sun.com Mon Jul 7 10:29:09 2003 From: wyllys.ingersoll at sun.com (Wyllys Ingersoll) Date: Mon, 07 Jul 2003 10:29:09 -0400 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: <3F0981C3.7000204@it.su.se> References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> <3F096F15.5080003@sun.com> <3F0981C3.7000204@it.su.se> Message-ID: <3F0983B5.4010606@sun.com> Leif Johansson wrote: > Wyllys Ingersoll wrote: > >> >> Monday night works for me. >> > How about tuesday? > > Cheers Leif > Tuesday is also fine, I should have read all of my mail before responding earlier. Im pretty much open all week. -Wyllys From leifj at it.su.se Tue Jul 8 09:01:22 2003 From: leifj at it.su.se (Leif Johansson) Date: Tue, 08 Jul 2003 15:01:22 +0200 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: <3F0983B5.4010606@sun.com> References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> <3F096F15.5080003@sun.com> <3F0981C3.7000204@it.su.se> <3F0983B5.4010606@sun.com> Message-ID: <3F0AC0A2.6020408@it.su.se> The standing suggestion is that we meet on Tuesday after the krb-wg just outside the krb-wg room wherever that is. Cheers Leif From wyllys.ingersoll at sun.com Tue Jul 8 15:50:07 2003 From: wyllys.ingersoll at sun.com (Wyllys Ingersoll) Date: Tue, 08 Jul 2003 15:50:07 -0400 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: <3F0AC0A2.6020408@it.su.se> References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> <3F096F15.5080003@sun.com> <3F0981C3.7000204@it.su.se> <3F0983B5.4010606@sun.com> <3F0AC0A2.6020408@it.su.se> Message-ID: <3F0B206F.8090006@sun.com> That works for me. -Wyllys Leif Johansson wrote: > > The standing suggestion is that we meet on Tuesday after the krb-wg just > outside the krb-wg room wherever that is. > > Cheers Leif > > _______________________________________________ > kdc-schema mailing list > kdc-schema at mit.edu > http://mailman.mit.edu/mailman/listinfo/kdc-schema From bob.joslin at hp.com Fri Jul 11 11:04:37 2003 From: bob.joslin at hp.com (Bob Joslin) Date: Fri, 11 Jul 2003 08:04:37 -0700 Subject: [Kdc-info] LDAP password policy Message-ID: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> As I recall in San Francisco, the talk about integrating with the KDC password policy with the LDAP password policy model was brought up. Has anyone talked with Ludovic or Jim about the kdc-schema meeting after the kerberos WG? It might be very valuable to get their input or gauge their direction. Bob From leifj at it.su.se Sun Jul 13 05:49:35 2003 From: leifj at it.su.se (Leif Johansson) Date: Sun, 13 Jul 2003 11:49:35 +0200 Subject: [Kdc-info] LDAP password policy In-Reply-To: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> References: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> Message-ID: <3F112B2F.10605@it.su.se> Bob Joslin wrote: >As I recall in San Francisco, the talk about integrating with the KDC >password policy with the LDAP password policy model was brought up. Has >anyone talked with Ludovic or Jim about the kdc-schema meeting after the >kerberos WG? It might be very valuable to get their input or gauge their >direction. > >Bob > >_______________________________________________ >kdc-info mailing list >kdc-info at mit.edu >http://mailman.mit.edu/mailman/listinfo/kdc-info > > I don't think so. We should try to corner either of them this week. Anyone who sees them should try to get them to come to the meeting on Tuesday. MVH leifj From Ludovic.Poitou at Sun.com Sun Jul 13 10:19:10 2003 From: Ludovic.Poitou at Sun.com (Ludovic Poitou) Date: Sun, 13 Jul 2003 16:19:10 +0200 Subject: [kdc-schema] Re: [Kdc-info] LDAP password policy References: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> <3F112B2F.10605@it.su.se> Message-ID: <3F116A5E.9070701@Sun.com> I'm only the kdc-schema list and will jin you on Tuesday. Ludovic Leif Johansson wrote: > Bob Joslin wrote: > >> As I recall in San Francisco, the talk about integrating with the KDC >> password policy with the LDAP password policy model was brought up. Has >> anyone talked with Ludovic or Jim about the kdc-schema meeting after the >> kerberos WG? It might be very valuable to get their input or gauge their >> direction. >> >> Bob >> >> _______________________________________________ >> kdc-info mailing list >> kdc-info at mit.edu >> http://mailman.mit.edu/mailman/listinfo/kdc-info >> >> > I don't think so. We should try to corner either of them this week. > Anyone who > sees them should try to get them to come to the meeting on Tuesday. > > MVH leifj > > _______________________________________________ > kdc-schema mailing list > kdc-schema at mit.edu > http://mailman.mit.edu/mailman/listinfo/kdc-schema From leifj at it.su.se Sun Jul 13 10:37:01 2003 From: leifj at it.su.se (Leif Johansson) Date: Sun, 13 Jul 2003 16:37:01 +0200 Subject: [kdc-schema] Re: [Kdc-info] LDAP password policy In-Reply-To: <3F116A5E.9070701@Sun.com> References: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> <3F112B2F.10605@it.su.se> <3F116A5E.9070701@Sun.com> Message-ID: <3F116E8D.8070109@it.su.se> Ludovic Poitou wrote: > I'm only the kdc-schema list and will jin you on Tuesday. > > Ludovic Great. See you there. From hartmans at MIT.EDU Mon Jul 14 03:49:51 2003 From: hartmans at MIT.EDU (Sam Hartman) Date: Mon, 14 Jul 2003 03:49:51 -0400 Subject: [Kdc-info] prelim draft of kdc information model In-Reply-To: <3F03CBDF.3080201@it.su.se> (Leif Johansson's message of "Thu, 03 Jul 2003 08:23:27 +0200") References: <3F03CBDF.3080201@it.su.se> Message-ID: Hi. I just finished reading the KDC info draft. This seems like a good start. I would like to accomplish the following, perhaps at this IETF meeting perhaps later: 1) Understand how we view salt types and salts within this framework 2) Understand what flags we care about. Before we finish this document we should also think about how it will interact with Kerberos extensions. From hartmans at MIT.EDU Mon Jul 14 04:03:35 2003 From: hartmans at MIT.EDU (Sam Hartman) Date: Mon, 14 Jul 2003 04:03:35 -0400 Subject: [Kdc-info] prelim draft of kdc information model In-Reply-To: (Sam Hartman's message of "Mon, 14 Jul 2003 03:49:51 -0400") References: <3F03CBDF.3080201@it.su.se> Message-ID: Two things that seem to be missing from this model are: 1) The information describing how principals are created. This is a deficiency in current admin servers. I probably want to be able to specify that a principal belongs to some principal type like user or -service when it is created and have that influence what is created for the principal. For users I probably want to disallow use of the long-term key as a service. At the current time, I might want to use AES for user principals but not for service principals. 2) Don't I want to be able to configure the enctypes and salttypes that future password changes will use per principal as well? Both these points can probably be solved using the same mechanism. From rlmorgan at washington.edu Mon Jul 14 04:15:06 2003 From: rlmorgan at washington.edu (RL 'Bob' Morgan) Date: Mon, 14 Jul 2003 10:15:06 +0200 (CEST) Subject: [Kdc-info] kdc-info/schema meeting time, again? In-Reply-To: <3F0AC0A2.6020408@it.su.se> Message-ID: On Tue, 8 Jul 2003, Leif Johansson wrote: > The standing suggestion is that we meet on Tuesday after the krb-wg just > outside the krb-wg room wherever that is. Well, grumble, I already signed up for the social. Would Wednesday 1530-1730 work for folks? - RL "Bob" From leifj at it.su.se Mon Jul 14 04:18:21 2003 From: leifj at it.su.se (Leif Johansson) Date: Mon, 14 Jul 2003 10:18:21 +0200 Subject: [Kdc-info] kdc-info/schema meeting time, again? In-Reply-To: References: Message-ID: <3F12674D.40802@it.su.se> RL 'Bob' Morgan wrote: >Well, grumble, I already signed up for the social. > >Would Wednesday 1530-1730 work for folks? > > > I should be at v6ops... From nshishir at novell.com Mon Jul 14 05:22:28 2003 From: nshishir at novell.com (Shishir Nagaraj) Date: Mon, 14 Jul 2003 14:52:28 +0530 Subject: [Kdc-info] Re: [kdc-schema] LDAP password policy In-Reply-To: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> References: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> Message-ID: <3F127654.1000103@novell.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > As I recall in San Francisco, the talk about integrating with the KDC > password policy with the LDAP password policy model was brought up. The KDC password policy should be integrated with the password policy for easier administration. In many deployments the convenience of a common policy would over-ride the security benefits of a separate policy. At the same time, a particular site might want different password policies for kerberos and LDAP credentials, based on the assessment of threats faced in their environment. While kerberos password policy model would benefit from the experience of the LDAP password policy model, the schema should be able to handle the scenarios of integrated and separate policy instances at the same time. Shishir. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/EnZUjygmKfU2CWYRAkYCAKCg6g3mT14N6Fy5PYpdkUvZ/pGiDACdHAFX ixbVsFI9JZ0cpv0e6RHIgKo= =Hrh3 -----END PGP SIGNATURE----- From leifj at it.su.se Mon Jul 14 13:57:15 2003 From: leifj at it.su.se (Leif Johansson) Date: Mon, 14 Jul 2003 19:57:15 +0200 Subject: [Kdc-info] Re: [kdc-schema] LDAP password policy In-Reply-To: <3F127654.1000103@novell.com> References: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> <3F127654.1000103@novell.com> Message-ID: <3F12EEFB.2080302@it.su.se> Shishir Nagaraj wrote: > > While kerberos password policy model would benefit from the experience > of the LDAP password policy model, the schema should be able to handle > the scenarios of integrated and separate policy instances at the same > time. Agreed. My take is that there must be (?) semantic overlap between kerberos and ldap password policy (and between kerberos set/change password protocol and ldap set password exop) which might be resolved. In the context of the ldap schema this group is looking at writing and from the point of view of a ldap client talking to the ldap "kadmin" service of a kdc having these pairs of services/schema be interchangeable would seem to be a nice outcome of our work. MVH leifj From jhutz at cmu.edu Tue Jul 15 09:56:52 2003 From: jhutz at cmu.edu (Jeffrey Hutzelman) Date: Tue, 15 Jul 2003 15:56:52 +0200 (CEST) Subject: [Kdc-info] prelim draft of kdc information model In-Reply-To: Message-ID: On Mon, 14 Jul 2003, Sam Hartman wrote: > 2) Don't I want to be able to configure the enctypes and salttypes > that future password changes will use per principal as well? Yes, you probably do. This saves the user or administrator from having to explicitly specify a list of enctypes each time the password is changed. This is particularly important with regard to service principals, where the set of enctypes for which there are keys in the KDC must match that supported by the server software. From hartmans at MIT.EDU Tue Jul 15 10:54:53 2003 From: hartmans at MIT.EDU (Sam Hartman) Date: Tue, 15 Jul 2003 10:54:53 -0400 Subject: [Kdc-info] prelim draft of kdc information model In-Reply-To: (Jeffrey Hutzelman's message of "Tue, 15 Jul 2003 15:56:52 +0200 (CEST)") References: Message-ID: >>>>> "Jeffrey" == Jeffrey Hutzelman writes: Jeffrey> On Mon, 14 Jul 2003, Sam Hartman wrote: >> 2) Don't I want to be able to configure the enctypes and >> salttypes that future password changes will use per principal >> as well? Jeffrey> Yes, you probably do. This saves the user or Jeffrey> administrator from having to explicitly specify a list of Jeffrey> enctypes each time the password is changed. This is Jeffrey> particularly important with regard to service principals, Jeffrey> where the set of enctypes for which there are keys in the Jeffrey> KDC must match that supported by the server software. I'd actually argue that it is particularly unimportant for server software, where in an ideal world the application server's library will rekey to only those keys it supports guaranteeing this match. From leifj at it.su.se Wed Jul 16 13:50:48 2003 From: leifj at it.su.se (Leif Johansson) Date: Wed, 16 Jul 2003 19:50:48 +0200 Subject: [Kdc-info] Notes from yesterdays meeting Message-ID: <3F159078.6010103@it.su.se> These are notes from yesterdays meeting on the kdc information model. Very very breef but better soon and short than late was my feeling. I'll start work on updating the draft and getting it submitted as soon as I get back from the ietf. Good work yesterday everyone! Cheers Leif -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ietf-57-notes.txt Url: http://mailman.mit.edu/pipermail/kdc-info/attachments/20030716/a33b4a0c/attachment.txt From leifj at it.su.se Wed Jul 16 13:52:49 2003 From: leifj at it.su.se (Leif Johansson) Date: Wed, 16 Jul 2003 19:52:49 +0200 Subject: [Kdc-info] try 2 Message-ID: <3F1590F1.70501@it.su.se> sent the wrong version -- sorry. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ietf-57-notes.txt Url: http://mailman.mit.edu/pipermail/kdc-info/attachments/20030716/583fc45a/attachment.txt From raeburn at MIT.EDU Mon Jul 21 12:17:55 2003 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 21 Jul 2003 12:17:55 -0400 Subject: [Kdc-info] prelim draft of kdc information model In-Reply-To: (Sam Hartman's message of "Tue, 15 Jul 2003 10:54:53 -0400") References: Message-ID: Sam Hartman writes: > Jeffrey> Yes, you probably do. This saves the user or > Jeffrey> administrator from having to explicitly specify a list of > Jeffrey> enctypes each time the password is changed. This is > Jeffrey> particularly important with regard to service principals, > Jeffrey> where the set of enctypes for which there are keys in the > Jeffrey> KDC must match that supported by the server software. > > I'd actually argue that it is particularly unimportant for server > software, where in an ideal world the application server's library > will rekey to only those keys it supports guaranteeing this match. I don't see any point in perpetuating the overloading we do in the MIT database where the set of service key enctypes also describes the encryption types supported by the application server software. Given that, in many cases I suspect there's no need for the service to have more than one key and enctype. Obviously, that enctype must be one supported by the software, but there doesn't have to be a key for each supported enctype. Ken From Nicolas.Williams at sun.com Mon Jul 21 12:43:51 2003 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Mon, 21 Jul 2003 09:43:51 -0700 Subject: [Kdc-info] prelim draft of kdc information model In-Reply-To: References: Message-ID: <20030721164351.GF8917@binky.central.sun.com> On Mon, Jul 21, 2003 at 12:17:55PM -0400, Ken Raeburn wrote: > I don't see any point in perpetuating the overloading we do in the MIT > database where the set of service key enctypes also describes the > encryption types supported by the application server software. Given > that, in many cases I suspect there's no need for the service to have > more than one key and enctype. Obviously, that enctype must be one > supported by the software, but there doesn't have to be a key for each > supported enctype. Indeed, service principals need have no more than one key shared with the KDC. As I said, draft-ietf-krb-wg-kerberos-set-passwd-01.txt will have a facility by which clients can tell the KDC what Kerberos features are supported by the principal whose keys are changing. The KDC needs to know at the very least what enctypes a service principal accepts, for ticket session key enctype is the one thing that is negotiated between a client and service by proxy in the KDC exchanges. As we've discussed before, the Kerberos extensions work will only add to the number of things negotiated in this way and the KDC will have to know what version of Kebreros V is supported by service principals, at the very least. Cheers, Nico -- From hartmans at MIT.EDU Mon Jul 21 13:09:23 2003 From: hartmans at MIT.EDU (Sam Hartman) Date: Mon, 21 Jul 2003 13:09:23 -0400 Subject: [Kdc-info] prelim draft of kdc information model In-Reply-To: (Ken Raeburn's message of "Mon, 21 Jul 2003 12:17:55 -0400") References: Message-ID: >>>>> "Ken" == Ken Raeburn writes: Ken> Sam Hartman writes: Jeffrey> Yes, you probably do. This saves the user or Jeffrey> administrator from having to explicitly specify a list of Jeffrey> enctypes each time the password is changed. This is Jeffrey> particularly important with regard to service principals, Jeffrey> where the set of enctypes for which there are keys in the Jeffrey> KDC must match that supported by the server software. >> I'd actually argue that it is particularly unimportant for >> server software, where in an ideal world the application >> server's library will rekey to only those keys it supports >> guaranteeing this match. Ken> I don't see any point in perpetuating the overloading we do Ken> in the MIT database where the set of service key enctypes Ken> also describes the encryption types supported by the Ken> application server software. I think there are too many enctype related options, not too few. If you want to separate enctypes a service supports from keys that a service has, I think that you should justify the additional complexity/options. I agree that there is no need for both the supported enctypes and keyed enctypes to be the same. However I don't see any harm in doing things this way and it is one less thing to configure or get out of sync. From Nicolas.Williams at sun.com Mon Jul 21 13:18:42 2003 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Mon, 21 Jul 2003 10:18:42 -0700 Subject: [Kdc-info] prelim draft of kdc information model In-Reply-To: References: Message-ID: <20030721171842.GG8917@binky.central.sun.com> On Mon, Jul 21, 2003 at 01:09:23PM -0400, Sam Hartman wrote: > Ken> I don't see any point in perpetuating the overloading we do > Ken> in the MIT database where the set of service key enctypes > Ken> also describes the encryption types supported by the > Ken> application server software. SAM> I think there are too many enctype related options, not too SAM> few. If you want to separate enctypes a service supports from SAM> keys that a service has, I think that you should justify the SAM> additional complexity/options. SAM> I agree that there is no need for both the supported enctypes SAM> and keyed enctypes to be the same. However I don't see any SAM> harm in doing things this way and it is one less thing to SAM> configure or get out of sync. The complexity is in the password/key change protocol and we'll need this for extensions anyways, which I think amply justifies the additional complexity. Besides, the number of UI options visible to users and/or admins need not go up. When changing a service principal's keys the admin could be given the option of listing the enctypes that the principal accepts in order of preference and the principal should magically end up with a single key of the first enctype in that list. This list of acceptable enctypes need not be provided every time that the service principal's keys change either. Cheers, Nico -- From hartmans at MIT.EDU Mon Jul 21 13:28:42 2003 From: hartmans at MIT.EDU (Sam Hartman) Date: Mon, 21 Jul 2003 13:28:42 -0400 Subject: [Kdc-info] prelim draft of kdc information model In-Reply-To: <20030721171842.GG8917@binky.central.sun.com> (Nicolas Williams's message of "Mon, 21 Jul 2003 10:18:42 -0700") References: <20030721171842.GG8917@binky.central.sun.com> Message-ID: >>>>> "Nicolas" == Nicolas Williams writes: Nicolas> The complexity is in the password/key change protocol and Nicolas> we'll need this for extensions anyways, which I think Nicolas> amply justifies the additional complexity. No, we need one bit for extensions. We don't need a set of enctypes. Nicolas> Besides, the number of UI options visible to users and/or Nicolas> admins need not go up. Then debugging becomes much harder. Again, what benefit do you get from separating these options? From wyllys.ingersoll at sun.com Wed Jul 30 15:33:28 2003 From: wyllys.ingersoll at sun.com (Wyllys Ingersoll) Date: Wed, 30 Jul 2003 15:33:28 -0400 Subject: [Kdc-info] Password change operations Message-ID: <3F281D88.5010402@sun.com> At the Vienna meeting, there was some discussion about the best way to handle password/key changes when using the LDAP administrative model. I was asked to look at the choices and make a short writeup - so here it is... Choices - use the passwd-change draft currently being proposed by Nicolas Williams , use RFC 3062 (LDAP Password Modify Extended Operation), or define something new using the information model and schema that results from the ongoing discussions on this list. The last option (define something new) is obviously the least attractive and I just mentioned it as a remote possibility. RFC 3062 is probably not the best way to handle password requests in this situation because it is limited to only password change operations. The set-password draft is more complete and covers re-keying operations as well as simple password changes. So, IMO, the KDC-INFO work should not specify password or key change operations. passwords and keys should only be updated only by using the set-password protocol. This will avoid confusion that might result from having multiple paths for changing a password and also avoids duplicating the work. -Wyllys Ingersoll From raeburn at MIT.EDU Thu Jul 31 08:52:30 2003 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 31 Jul 2003 08:52:30 -0400 Subject: [Kdc-info] prelim draft of kdc information model In-Reply-To: (Sam Hartman's message of "Mon, 21 Jul 2003 13:28:42 -0400") References: <20030721171842.GG8917@binky.central.sun.com> Message-ID: > Again, what benefit do you get from separating these options? You get the option of having communication between the KDC and application server always well-protected with a strong enctype, while the client can choose to use a weaker session key type (e.g., if that's all it supports). Granted, you can also do this by only using one of the keys as the service key, but then aren't you really just using the list of keys to implement a list of enctypes? That also implies a requirement for the ability to indicate which one (or more?) of the multiple stored keys may be used as the service key. Ken From hartmans at MIT.EDU Thu Jul 31 13:26:05 2003 From: hartmans at MIT.EDU (Sam Hartman) Date: Thu, 31 Jul 2003 13:26:05 -0400 Subject: [Kdc-info] prelim draft of kdc information model In-Reply-To: (Ken Raeburn's message of "Thu, 31 Jul 2003 08:52:30 -0400") References: <20030721171842.GG8917@binky.central.sun.com> Message-ID: >>>>> "Ken" == Ken Raeburn writes: Ken> Granted, you can also do this by only using one of the keys Ken> as the service key, but then aren't you really just using the Ken> list of keys to implement a list of enctypes? That also Ken> implies a requirement for the ability to indicate which one Ken> (or more?) of the multiple stored keys may be used as the Ken> service key. No, you can also just leave this up to the KDC. From hartmans at MIT.EDU Thu Jul 31 14:29:55 2003 From: hartmans at MIT.EDU (Sam Hartman) Date: Thu, 31 Jul 2003 14:29:55 -0400 Subject: [Kdc-info] Password change operations In-Reply-To: <3F281D88.5010402@sun.com> (Wyllys Ingersoll's message of "Wed, 30 Jul 2003 15:33:28 -0400") References: <3F281D88.5010402@sun.com> Message-ID: I think that we need to allow implementations to also support RFC 3062, possibly by funneling that through Nico's draft. From Nicolas.Williams at sun.com Thu Jul 31 15:21:59 2003 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Thu, 31 Jul 2003 12:21:59 -0700 Subject: [Kdc-info] Password change operations In-Reply-To: References: <3F281D88.5010402@sun.com> Message-ID: <20030731192159.GE12379@binky.central.sun.com> On Thu, Jul 31, 2003 at 02:29:55PM -0400, Sam Hartman wrote: > I think that we need to allow implementations to also support RFC > 3062, possibly by funneling that through Nico's draft. But the text should discourage this. There's no allowance for password policies in RFC3062. Of course, one might prefer to use the ASN.1 types for the operations in the change password draft through LDAP, rather than through a standalone protocol. Details would have to be worked out, but it seems doable. Cheers, Nico -- From leifj at it.su.se Thu Jul 31 15:32:13 2003 From: leifj at it.su.se (Leif Johansson) Date: Thu, 31 Jul 2003 21:32:13 +0200 Subject: [Kdc-info] Password change operations In-Reply-To: <20030731192159.GE12379@binky.central.sun.com> References: <3F281D88.5010402@sun.com> <20030731192159.GE12379@binky.central.sun.com> Message-ID: <3F296EBD.4010601@it.su.se> Nicolas Williams wrote: >On Thu, Jul 31, 2003 at 02:29:55PM -0400, Sam Hartman wrote: > > >>I think that we need to allow implementations to also support RFC >>3062, possibly by funneling that through Nico's draft. >> >> > >But the text should discourage this. There's no allowance for password >policies in RFC3062. > > Password policies are a different matter altogether from the protocol which sets passwords and keys. I am not advocating use of RFC3062 but I believe the schema derived from the information model probably needs an applicability statement where RFC3062 probably has to be covered in some way, if only to say that its use is discouraged in this context. If Wyllys analysis is correct then rfc3062 is too limited to have signifficant semantic overlap with Nicos draft. Then clearly the info-model has to defer to the set/change password draft. >Of course, one might prefer to use the ASN.1 types for the operations in >the change password draft through LDAP, rather than through a standalone >protocol. Details would have to be worked out, but it seems doable. > > > There might be a son-of-rfc3062 hidden here which imo would be a good thing. Lots of installations will probably use some kind of kdc+directory in the not too far future and I would hate for there to be confusion about a fundamental operation like password change. Cheers Leif From hartmans at MIT.EDU Thu Jul 31 15:35:56 2003 From: hartmans at MIT.EDU (Sam Hartman) Date: Thu, 31 Jul 2003 15:35:56 -0400 Subject: [Kdc-info] Password change operations In-Reply-To: <20030731192159.GE12379@binky.central.sun.com> (Nicolas Williams's message of "Thu, 31 Jul 2003 12:21:59 -0700") References: <3F281D88.5010402@sun.com> <20030731192159.GE12379@binky.central.sun.com> Message-ID: >>>>> "Nicolas" == Nicolas Williams writes: Nicolas> On Thu, Jul 31, 2003 at 02:29:55PM -0400, Sam Hartman Nicolas> wrote: >> I think that we need to allow implementations to also support >> RFC 3062, possibly by funneling that through Nico's draft. Nicolas> But the text should discourage this. There's no Nicolas> allowance for password policies in RFC3062. I suspect that most people will end up implementing this feature in practice and will return some useless error if policy denies the change. lLDAP is one of the few technology-independent ways of changing your password. From Nicolas.Williams at sun.com Thu Jul 31 15:44:33 2003 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Thu, 31 Jul 2003 12:44:33 -0700 Subject: [Kdc-info] Password change operations In-Reply-To: References: <3F281D88.5010402@sun.com> <20030731192159.GE12379@binky.central.sun.com> <3F296EBD.4010601@it.su.se> Message-ID: <20030731194433.GF12379@binky.central.sun.com> On Thu, Jul 31, 2003 at 09:32:13PM +0200, Leif Johansson wrote: > Nicolas Williams wrote: > >Of course, one might prefer to use the ASN.1 types for the operations in > >the change password draft through LDAP, rather than through a standalone > >protocol. Details would have to be worked out, but it seems doable. > > > > > There might be a son-of-rfc3062 hidden here which imo would be a good thing. > Lots of installations will probably use some kind of kdc+directory in > the not too > far future and I would hate for there to be confusion about a > fundamental operation > like password change. Not only that, the change password protocol operations for password changing/setting in the upcomming -01 are close to being independent of Kerberos: there's an optional enctypes field in the request and response and error codes relating to enctypes, but that's it - the target principal name is given in the outer "Request" type (which wouldn't be used in a son-of-rfc3062, as you call it). Mind you, I'd rather proceed with the Kerberos-specific change password protocol than with a son-of-rfc3062. On Thu, 31 Jul 2003 at 15:35:56 -0400, Sam Hartman wrote: >>>>>> "Nicolas" == Nicolas Williams writes: > >> I think that we need to allow implementations to also support > >> RFC 3062, possibly by funneling that through Nico's draft. > > Nicolas> But the text should discourage this. There's no > Nicolas> allowance for password policies in RFC3062. > >I suspect that most people will end up implementing this feature in >practice and will return some useless error if policy denies the >change. > >lLDAP is one of the few technology-independent ways of changing your >password. See above. If there's enough desire we could make a son-of-rfc3062. Cheers, Nico -- From leifj at it.su.se Thu Jul 31 15:58:36 2003 From: leifj at it.su.se (Leif Johansson) Date: Thu, 31 Jul 2003 21:58:36 +0200 Subject: [Kdc-info] Password change operations In-Reply-To: <20030731194433.GF12379@binky.central.sun.com> References: <3F281D88.5010402@sun.com> <20030731192159.GE12379@binky.central.sun.com> <3F296EBD.4010601@it.su.se> <20030731194433.GF12379@binky.central.sun.com> Message-ID: <3F2974EC.4090805@it.su.se> Nicolas Williams wrote: >Mind you, I'd rather proceed with the Kerberos-specific change password >protocol than with a son-of-rfc3062. > > Oh yes don't get me wrong - maybe if you made some hooks for running set/change over alternate transports someone can get back to writing son-of-rfc3062 later. MVH leifj