From leifj at it.su.se Thu Jul 3 02:15:05 2003 From: leifj at it.su.se (Leif Johansson) Date: Thu, 03 Jul 2003 08:15:05 +0200 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: References: Message-ID: <3F03C9E9.1030202@it.su.se> Bob Joslin wrote: >I recall that I saw a mesage from Leif that contained the info model draft. >But scanning my emails and the list does not produce anything. Either I was >dreaming, or I'm blind. Leif, did you post your draft yet? > >BTW, Sherman Wu, from HP, will be in Vienna from our team . If you do work >out a BOF, I mentioned that it's likely scheduling/location details would be >posted to kdc-info or kdc-schema. Could someone do that in case a meeting >is set up? > >Thanks, > >Bob > > > Hmm... I think I must have missed the crucial step somewhere. The draft will follow this message. I suggest a bar-bof. Does anyone have enough of a grip on the agenda to suggest a time? Cheers Leif From leifj at it.su.se Thu Jul 3 02:23:27 2003 From: leifj at it.su.se (Leif Johansson) Date: Thu, 03 Jul 2003 08:23:27 +0200 Subject: [kdc-schema] prelim draft of kdc information model Message-ID: <3F03CBDF.3080201@it.su.se> This is a first draft of the information model draft as discussed in SF. The draft missed the -00 cutoff. Hopefully there will be an offline meeting about this in Wienna (details will be posted on kdc-info at mit.edu and kdc-schema at mit.edu). I am prepared to give a short summary on the progress of this work at the wg meeting if there is enough interest. /leifj -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: draft-ietf-johansson-krb-model-00.txt Url: http://mailman.mit.edu/pipermail/kdc-schema/attachments/20030703/3c825286/attachment.txt From Morteza.Ansari at sun.com Sun Jul 6 23:37:09 2003 From: Morteza.Ansari at sun.com (Morteza Ansari) Date: Sun, 06 Jul 2003 20:37:09 -0700 Subject: [kdc-schema] Re: [Kdc-info] Info Model? References: <3F03C9E9.1030202@it.su.se> Message-ID: <3F08EAE5.1BE6AC32@sun.com> Leif Johansson wrote: > > Bob Joslin wrote: > > >I recall that I saw a mesage from Leif that contained the info model draft. > >But scanning my emails and the list does not produce anything. Either I was > >dreaming, or I'm blind. Leif, did you post your draft yet? > > > >BTW, Sherman Wu, from HP, will be in Vienna from our team . If you do work > >out a BOF, I mentioned that it's likely scheduling/location details would be > >posted to kdc-info or kdc-schema. Could someone do that in case a meeting > >is set up? > > > >Thanks, > > > >Bob > > > > > > > Hmm... I think I must have missed the crucial step somewhere. The draft > will follow > this message. I suggest a bar-bof. Does anyone have enough of a grip on > the agenda to > suggest a time? How about Monday evening? Just to throw a time, how about 8pm? I am personally free after 5:30, so pretty much anytime Monday night would do for me. Cheers, Morteza From leifj at it.su.se Mon Jul 7 04:56:35 2003 From: leifj at it.su.se (Leif Johansson) Date: Mon, 07 Jul 2003 10:56:35 +0200 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: <3F08EAE5.1BE6AC32@sun.com> References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> Message-ID: <3F0935C3.7090707@it.su.se> Morteza Ansari wrote: >How about Monday evening? Just to throw a time, how about 8pm? I am >personally free after 5:30, so pretty much anytime Monday night would do >for me. > > >Cheers, >Morteza > > The ipv6 wg is meeting after dinner so that won't work for me. How about Tuesday after the krb-wg? or is everyone going to the social event? Cheers leifj From Morteza.Ansari at sun.com Mon Jul 7 05:19:35 2003 From: Morteza.Ansari at sun.com (Morteza Ansari) Date: Mon, 07 Jul 2003 02:19:35 -0700 Subject: [kdc-schema] Re: [Kdc-info] Info Model? References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> <3F0935C3.7090707@it.su.se> Message-ID: <3F093B27.219E0C5D@sun.com> Leif Johansson wrote: > > Morteza Ansari wrote: > > >How about Monday evening? Just to throw a time, how about 8pm? I am > >personally free after 5:30, so pretty much anytime Monday night would do > >for me. > > > > > >Cheers, > >Morteza > > > > > The ipv6 wg is meeting after dinner so that won't work for me. How about > Tuesday > after the krb-wg? or is everyone going to the social event? Tuesday night works for me. Cheers, Morteza From wyllys.ingersoll at sun.com Mon Jul 7 09:01:09 2003 From: wyllys.ingersoll at sun.com (Wyllys Ingersoll) Date: Mon, 07 Jul 2003 09:01:09 -0400 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: <3F08EAE5.1BE6AC32@sun.com> References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> Message-ID: <3F096F15.5080003@sun.com> Monday night works for me. -Wyllys Morteza Ansari wrote: > Leif Johansson wrote: > >>Bob Joslin wrote: >> >> >>>I recall that I saw a mesage from Leif that contained the info model draft. >>>But scanning my emails and the list does not produce anything. Either I was >>>dreaming, or I'm blind. Leif, did you post your draft yet? >>> >>>BTW, Sherman Wu, from HP, will be in Vienna from our team . If you do work >>>out a BOF, I mentioned that it's likely scheduling/location details would be >>>posted to kdc-info or kdc-schema. Could someone do that in case a meeting >>>is set up? >>> >>>Thanks, >>> >>>Bob >>> >>> >>> >> >>Hmm... I think I must have missed the crucial step somewhere. The draft >>will follow >>this message. I suggest a bar-bof. Does anyone have enough of a grip on >>the agenda to >>suggest a time? > > > How about Monday evening? Just to throw a time, how about 8pm? I am > personally free after 5:30, so pretty much anytime Monday night would do > for me. > > > Cheers, > Morteza > _______________________________________________ > kdc-schema mailing list > kdc-schema at mit.edu > http://mailman.mit.edu/mailman/listinfo/kdc-schema From leifj at it.su.se Mon Jul 7 10:20:51 2003 From: leifj at it.su.se (Leif Johansson) Date: Mon, 07 Jul 2003 16:20:51 +0200 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: <3F096F15.5080003@sun.com> References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> <3F096F15.5080003@sun.com> Message-ID: <3F0981C3.7000204@it.su.se> Wyllys Ingersoll wrote: > > Monday night works for me. > How about tuesday? Cheers Leif From wyllys.ingersoll at sun.com Mon Jul 7 10:29:09 2003 From: wyllys.ingersoll at sun.com (Wyllys Ingersoll) Date: Mon, 07 Jul 2003 10:29:09 -0400 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: <3F0981C3.7000204@it.su.se> References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> <3F096F15.5080003@sun.com> <3F0981C3.7000204@it.su.se> Message-ID: <3F0983B5.4010606@sun.com> Leif Johansson wrote: > Wyllys Ingersoll wrote: > >> >> Monday night works for me. >> > How about tuesday? > > Cheers Leif > Tuesday is also fine, I should have read all of my mail before responding earlier. Im pretty much open all week. -Wyllys From leifj at it.su.se Tue Jul 8 09:01:22 2003 From: leifj at it.su.se (Leif Johansson) Date: Tue, 08 Jul 2003 15:01:22 +0200 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: <3F0983B5.4010606@sun.com> References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> <3F096F15.5080003@sun.com> <3F0981C3.7000204@it.su.se> <3F0983B5.4010606@sun.com> Message-ID: <3F0AC0A2.6020408@it.su.se> The standing suggestion is that we meet on Tuesday after the krb-wg just outside the krb-wg room wherever that is. Cheers Leif From wyllys.ingersoll at sun.com Tue Jul 8 15:50:07 2003 From: wyllys.ingersoll at sun.com (Wyllys Ingersoll) Date: Tue, 08 Jul 2003 15:50:07 -0400 Subject: [kdc-schema] Re: [Kdc-info] Info Model? In-Reply-To: <3F0AC0A2.6020408@it.su.se> References: <3F03C9E9.1030202@it.su.se> <3F08EAE5.1BE6AC32@sun.com> <3F096F15.5080003@sun.com> <3F0981C3.7000204@it.su.se> <3F0983B5.4010606@sun.com> <3F0AC0A2.6020408@it.su.se> Message-ID: <3F0B206F.8090006@sun.com> That works for me. -Wyllys Leif Johansson wrote: > > The standing suggestion is that we meet on Tuesday after the krb-wg just > outside the krb-wg room wherever that is. > > Cheers Leif > > _______________________________________________ > kdc-schema mailing list > kdc-schema at mit.edu > http://mailman.mit.edu/mailman/listinfo/kdc-schema From bob.joslin at hp.com Fri Jul 11 11:04:37 2003 From: bob.joslin at hp.com (Bob Joslin) Date: Fri, 11 Jul 2003 08:04:37 -0700 Subject: [kdc-schema] LDAP password policy Message-ID: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> As I recall in San Francisco, the talk about integrating with the KDC password policy with the LDAP password policy model was brought up. Has anyone talked with Ludovic or Jim about the kdc-schema meeting after the kerberos WG? It might be very valuable to get their input or gauge their direction. Bob From leifj at it.su.se Sun Jul 13 05:49:35 2003 From: leifj at it.su.se (Leif Johansson) Date: Sun, 13 Jul 2003 11:49:35 +0200 Subject: [kdc-schema] Re: [Kdc-info] LDAP password policy In-Reply-To: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> References: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> Message-ID: <3F112B2F.10605@it.su.se> Bob Joslin wrote: >As I recall in San Francisco, the talk about integrating with the KDC >password policy with the LDAP password policy model was brought up. Has >anyone talked with Ludovic or Jim about the kdc-schema meeting after the >kerberos WG? It might be very valuable to get their input or gauge their >direction. > >Bob > >_______________________________________________ >kdc-info mailing list >kdc-info at mit.edu >http://mailman.mit.edu/mailman/listinfo/kdc-info > > I don't think so. We should try to corner either of them this week. Anyone who sees them should try to get them to come to the meeting on Tuesday. MVH leifj From Ludovic.Poitou at Sun.com Sun Jul 13 10:19:10 2003 From: Ludovic.Poitou at Sun.com (Ludovic Poitou) Date: Sun, 13 Jul 2003 16:19:10 +0200 Subject: [kdc-schema] Re: [Kdc-info] LDAP password policy References: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> <3F112B2F.10605@it.su.se> Message-ID: <3F116A5E.9070701@Sun.com> I'm only the kdc-schema list and will jin you on Tuesday. Ludovic Leif Johansson wrote: > Bob Joslin wrote: > >> As I recall in San Francisco, the talk about integrating with the KDC >> password policy with the LDAP password policy model was brought up. Has >> anyone talked with Ludovic or Jim about the kdc-schema meeting after the >> kerberos WG? It might be very valuable to get their input or gauge their >> direction. >> >> Bob >> >> _______________________________________________ >> kdc-info mailing list >> kdc-info at mit.edu >> http://mailman.mit.edu/mailman/listinfo/kdc-info >> >> > I don't think so. We should try to corner either of them this week. > Anyone who > sees them should try to get them to come to the meeting on Tuesday. > > MVH leifj > > _______________________________________________ > kdc-schema mailing list > kdc-schema at mit.edu > http://mailman.mit.edu/mailman/listinfo/kdc-schema From leifj at it.su.se Sun Jul 13 10:37:01 2003 From: leifj at it.su.se (Leif Johansson) Date: Sun, 13 Jul 2003 16:37:01 +0200 Subject: [kdc-schema] Re: [Kdc-info] LDAP password policy In-Reply-To: <3F116A5E.9070701@Sun.com> References: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> <3F112B2F.10605@it.su.se> <3F116A5E.9070701@Sun.com> Message-ID: <3F116E8D.8070109@it.su.se> Ludovic Poitou wrote: > I'm only the kdc-schema list and will jin you on Tuesday. > > Ludovic Great. See you there. From rlmorgan at washington.edu Mon Jul 14 04:15:06 2003 From: rlmorgan at washington.edu (RL 'Bob' Morgan) Date: Mon, 14 Jul 2003 10:15:06 +0200 (CEST) Subject: [kdc-schema] kdc-info/schema meeting time, again? In-Reply-To: <3F0AC0A2.6020408@it.su.se> Message-ID: On Tue, 8 Jul 2003, Leif Johansson wrote: > The standing suggestion is that we meet on Tuesday after the krb-wg just > outside the krb-wg room wherever that is. Well, grumble, I already signed up for the social. Would Wednesday 1530-1730 work for folks? - RL "Bob" From leifj at it.su.se Mon Jul 14 04:18:21 2003 From: leifj at it.su.se (Leif Johansson) Date: Mon, 14 Jul 2003 10:18:21 +0200 Subject: [kdc-schema] Re: [Kdc-info] kdc-info/schema meeting time, again? In-Reply-To: References: Message-ID: <3F12674D.40802@it.su.se> RL 'Bob' Morgan wrote: >Well, grumble, I already signed up for the social. > >Would Wednesday 1530-1730 work for folks? > > > I should be at v6ops... From nshishir at novell.com Mon Jul 14 05:22:28 2003 From: nshishir at novell.com (Shishir Nagaraj) Date: Mon, 14 Jul 2003 14:52:28 +0530 Subject: [kdc-schema] LDAP password policy In-Reply-To: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> References: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> Message-ID: <3F127654.1000103@novell.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > As I recall in San Francisco, the talk about integrating with the KDC > password policy with the LDAP password policy model was brought up. The KDC password policy should be integrated with the password policy for easier administration. In many deployments the convenience of a common policy would over-ride the security benefits of a separate policy. At the same time, a particular site might want different password policies for kerberos and LDAP credentials, based on the assessment of threats faced in their environment. While kerberos password policy model would benefit from the experience of the LDAP password policy model, the schema should be able to handle the scenarios of integrated and separate policy instances at the same time. Shishir. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/EnZUjygmKfU2CWYRAkYCAKCg6g3mT14N6Fy5PYpdkUvZ/pGiDACdHAFX ixbVsFI9JZ0cpv0e6RHIgKo= =Hrh3 -----END PGP SIGNATURE----- From leifj at it.su.se Mon Jul 14 13:57:15 2003 From: leifj at it.su.se (Leif Johansson) Date: Mon, 14 Jul 2003 19:57:15 +0200 Subject: [Kdc-info] Re: [kdc-schema] LDAP password policy In-Reply-To: <3F127654.1000103@novell.com> References: <000501c347bd$c5c551e0$55b0ec0f@cup.hp.com> <3F127654.1000103@novell.com> Message-ID: <3F12EEFB.2080302@it.su.se> Shishir Nagaraj wrote: > > While kerberos password policy model would benefit from the experience > of the LDAP password policy model, the schema should be able to handle > the scenarios of integrated and separate policy instances at the same > time. Agreed. My take is that there must be (?) semantic overlap between kerberos and ldap password policy (and between kerberos set/change password protocol and ldap set password exop) which might be resolved. In the context of the ldap schema this group is looking at writing and from the point of view of a ldap client talking to the ldap "kadmin" service of a kdc having these pairs of services/schema be interchangeable would seem to be a nice outcome of our work. MVH leifj From leifj at it.su.se Wed Jul 16 13:50:48 2003 From: leifj at it.su.se (Leif Johansson) Date: Wed, 16 Jul 2003 19:50:48 +0200 Subject: [kdc-schema] Notes from yesterdays meeting Message-ID: <3F159078.6010103@it.su.se> These are notes from yesterdays meeting on the kdc information model. Very very breef but better soon and short than late was my feeling. I'll start work on updating the draft and getting it submitted as soon as I get back from the ietf. Good work yesterday everyone! Cheers Leif -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ietf-57-notes.txt Url: http://mailman.mit.edu/pipermail/kdc-schema/attachments/20030716/a33b4a0c/attachment.txt From leifj at it.su.se Wed Jul 16 13:52:49 2003 From: leifj at it.su.se (Leif Johansson) Date: Wed, 16 Jul 2003 19:52:49 +0200 Subject: [kdc-schema] try 2 Message-ID: <3F1590F1.70501@it.su.se> sent the wrong version -- sorry. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ietf-57-notes.txt Url: http://mailman.mit.edu/pipermail/kdc-schema/attachments/20030716/583fc45a/attachment.txt From ludovic.poitou at Sun.COM Wed Jul 30 06:24:50 2003 From: ludovic.poitou at Sun.COM (Ludovic Poitou) Date: Wed, 30 Jul 2003 12:24:50 +0200 Subject: [kdc-schema] Kerberos Password Policy vs LDAP Password Policy Message-ID: <3F279CF2.4060400@Sun.COM> I've done an evaluation of both Kerberos and LDAP password policies, based on a Sun blueprint (http://www.sun.com/blueprints/1001/krb.pdf, page 12 "Establishing the Password Policies"). There's nothing in the kerberos password policy that is not supported by the LDAP password policy. The only item that differ is the Kerberos "Maximum Password Classes". The LDAP password policy defines whether the "syntax" is to be checked but doesn't defines what are the minimal requirement on the password itself. These requirements are implementation details. Ludovic --- Ludovic Poitou Sun ONE Directory Architect Sun Microsystems. From leifj at it.su.se Wed Jul 30 06:18:57 2003 From: leifj at it.su.se (Leif Johansson) Date: Wed, 30 Jul 2003 12:18:57 +0200 Subject: [kdc-schema] Kerberos Password Policy vs LDAP Password Policy In-Reply-To: <3F279CF2.4060400@Sun.COM> References: <3F279CF2.4060400@Sun.COM> Message-ID: <3F279B91.6060802@it.su.se> Ludovic Poitou wrote: > I've done an evaluation of both Kerberos and LDAP password policies, > based on a Sun blueprint (http://www.sun.com/blueprints/1001/krb.pdf, > page 12 "Establishing the Password Policies"). > > There's nothing in the kerberos password policy that is not supported > by the LDAP password policy. > > The only item that differ is the Kerberos "Maximum Password Classes". > The LDAP password policy defines whether the "syntax" is to be checked > but doesn't defines what are the minimal requirement on the password > itself. These requirements are implementation details. > Good work Ludovic - I guess there should be a separate type of policy password quality ... Cheers Leif From ludovic.poitou at Sun.COM Wed Jul 30 06:42:49 2003 From: ludovic.poitou at Sun.COM (Ludovic Poitou) Date: Wed, 30 Jul 2003 12:42:49 +0200 Subject: [kdc-schema] Kerberos Password Policy vs LDAP Password Policy In-Reply-To: <3F279B91.6060802@it.su.se> References: <3F279CF2.4060400@Sun.COM> <3F279B91.6060802@it.su.se> Message-ID: <3F27A129.7020702@Sun.COM> Leif Johansson wrote: > Ludovic Poitou wrote: > >> I've done an evaluation of both Kerberos and LDAP password policies, >> based on a Sun blueprint (http://www.sun.com/blueprints/1001/krb.pdf, >> page 12 "Establishing the Password Policies"). >> >> There's nothing in the kerberos password policy that is not supported >> by the LDAP password policy. >> >> The only item that differ is the Kerberos "Maximum Password Classes". >> The LDAP password policy defines whether the "syntax" is to be >> checked but doesn't defines what are the minimal requirement on the >> password itself. These requirements are implementation details. >> > > Good work Ludovic - I guess there should be a separate type of policy > password quality ... > > Cheers Leif I agree. However, I don't believe there are a very common way to express password quality. Each organization has it's own opinion of the minimum quality and way to express it. Classes of characters is one way. Some other ways include more explicit Lower and Upper Case characters, number of characters in each class and even positioning of these class of characters, checking against specific dictionaries.... Ludovic. From leifj at it.su.se Wed Jul 30 06:44:11 2003 From: leifj at it.su.se (Leif Johansson) Date: Wed, 30 Jul 2003 12:44:11 +0200 Subject: [kdc-schema] Kerberos Password Policy vs LDAP Password Policy In-Reply-To: <3F27A129.7020702@Sun.COM> References: <3F279CF2.4060400@Sun.COM> <3F279B91.6060802@it.su.se> <3F27A129.7020702@Sun.COM> Message-ID: <3F27A17B.4020009@it.su.se> Ludovic Poitou wrote: > > > I agree. > However, I don't believe there are a very common way to express > password quality. Each organization has it's own opinion of the > minimum quality and way to express it. > Classes of characters is one way. Some other ways include more > explicit Lower and Upper Case characters, number of characters in each > class and even positioning of these class of characters, checking > against specific dictionaries.... > > Ludovic. > Again I agree. I think this is a type of policy which just has an oid and leave the rest as an extension. > > > >