Proposal for using NAPTR/URI records
Nico Williams
nico at cryptonector.com
Tue Feb 24 13:53:23 EST 2015
On Tue, Feb 24, 2015 at 12:19 PM, Nathaniel McCallum
<npmccallum at redhat.com> wrote:
> MITM attack isn't a property limited only to MS-KKDCP. It is possible
> at pretty much every level. Any attack possible over MS-KKDCP is
> possible pretty much everywhere. In fact, I consider MS-KKDCP *more*
> secure given that it goes over TLS and the TLS connection is validated.
Yes, but we're working towards closing many MITM-on-the-wire cases.
DNSSEC takes care of one set of cases. FAST takes care of the rest
(to some degree). (IPsec is out; let's not mention it.) Admittedly,
that's part of the answer to the problem here: use DNSSEC where zones
don't opt-out.
> Frankly, I'd like to see us drop the TLS requirement for MS-KKDCP...
> But now I'm really stirring the pot. :)
But I agree with this. If we use FAST for AS *and* TGS exchanges,
then what do we get from TLS that we're not already getting from FAST?
This is important from an implementation complexity point of view.
It's a given that we'll all need DNSSEC, fine, and Kerberos, since
Kerberos is the point here, but why add a dependency on TLS? That
brings in a whole bunch of things that a Kerberos implementor might
not want to have to deal with.
Nico
--
More information about the krbdev
mailing list