Proposal for using NAPTR/URI records

Simo Sorce simo at
Tue Feb 24 14:25:30 EST 2015

On Tue, 2015-02-24 at 12:53 -0600, Nico Williams wrote:
> On Tue, Feb 24, 2015 at 12:19 PM, Nathaniel McCallum
> <npmccallum at> wrote:
> > MITM attack isn't a property limited only to MS-KKDCP. It is possible
> > at pretty much every level. Any attack possible over MS-KKDCP is
> > possible pretty much everywhere. In fact, I consider MS-KKDCP *more*
> > secure given that it goes over TLS and the TLS connection is validated.
> Yes, but we're working towards closing many MITM-on-the-wire cases.
> DNSSEC takes care of one set of cases.  FAST takes care of the rest
> (to some degree).  (IPsec is out; let's not mention it.)  Admittedly,
> that's part of the answer to the problem here: use DNSSEC where zones
> don't opt-out.
> > Frankly, I'd like to see us drop the TLS requirement for MS-KKDCP...
> > But now I'm really stirring the pot. :)
> But I agree with this.  If we use FAST for AS *and* TGS exchanges,
> then what do we get from TLS that we're not already getting from FAST?
> This is important from an implementation complexity point of view.
> It's a given that we'll all need DNSSEC, fine, and Kerberos, since
> Kerberos is the point here, but why add a dependency on TLS?  That
> brings in a whole bunch of things that a Kerberos implementor might
> not want to have to deal with.

Just for the record I'll add a me too, to the list of people that think
TLS should not be required for the MS-KKDCP protocol implementation, it
should be optional.


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list