Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

If the facts don't fit the theory, change the facts. -- Albert Einstein

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationNico Williams

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.33.1698359297.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=409&group=comp.protocols.kerberos#409

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: nic...@cryptonector.com (Nico Williams)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Thu, 26 Oct 2023 17:28:07 -0500
Organization: TNet Consulting
Lines: 42
Message-ID: <mailman.33.1698359297.2263420.kerberos@mit.edu>
References: <CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
<202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
<ZTrn9z3SIvlmMVWR@ubby21>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="1318"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=i0IL8abG;
dkim=pass (2048-bit key,
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=s4gxdTqN
Authentication-Results: mit.edu; dmarc=none (p=none dis=none)
header.from=cryptonector.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698359295; cv=pass;
b=u7IbXJn6xCJ/5iani/s/xmETVZlisCxXa9tKD6OwbE3PhtxLo47fQYwuXq6t9DOwAdgEJEAw1ooZ+hgJZudKb6HO5hXAB9uSOS3oC8I4NXV12gLPdle1qrZrEdG90BSNjMN4NZkrPkjBG/UwRin/A8bLGUCWc+CM+nUVjlCrKt8EqEwHIa7vqV4Z7Xvj0QBl4gtfcxum/1fUBySEVhDP2Jvu/FixmmTcCTS3dqjlHIcB0cI8eskx7U3A+1TrYonE1hC5M0qJaKUIfvMfC9/7MOkpLy65PfUwQICKuZQdkaWsiG7X0518mW5/nYp50UTg6pR1/h24UHQByEKlID8yvA==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698359295;
c=relaxed/relaxed; bh=t/fic7TdFx/CtsX9wBYfSqYYE9UWe+KVHeMevo6A0Sk=;
h=Date:From:Subject:Message-ID:MIME-Version:Content-Type;
b=usnsQ8adKwjaC1+1uPfRrHaPalfHh7F359vCH69wIvUya7sowd0TtbJYkK4FfSJ7FgzqwZsYYdih40Avi4B1BpGNk4VWNTBQKISTk8WSEj8haagvLZDpqtwyqwWcXEbt7A+Ip5GewZ28hXLfX+Xozaema1WBk6KXm9D2yhsQ/daxiANVY1Qd3eyni7vawEEtwbaNq4pT47NkE0WZnfAZYOcW3x0gwDK48DL+UhJzqgz71OjQ3lYiA+0/0cOnMWJqedL1j5cVP5gwwTYy5Jv42z7K8Vjoc8UGmcqGMxs2c1CaPwqg1oLAfNAmSFvlGhB2Cv18SbggqQV8PcOwJRhHZQ==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=i0IL8abG;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=s4gxdTqN
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=i0IL8abG;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=s4gxdTqN
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=AvBFL9HYOHOuJnk9ijBok4V5EWJoDtyRNkERKyUhF0z4vG98PStT4jfUJKJFQw16yizT0GHS6IyCdQsEmlZStpHKlRQ2ABJeoUH81FfnkroZ++mpN8kuQ77LR2rOYoROBrntLYGDTp978Xp4qx8wrXHxLjvCpFP+qmvmAklkC6aghlkl05SLDxD6OxRpVxkBjCtIFFAfUZDq9uosXa7zbTwlxBdbxNajx4/GnTthTJ29YClf8DMHhoLbYHqQykl2H7oWRqHbHHznjpeIIHGasHghfUyYwlDoejyrbd60csMjwd1E5OE2SRgjw4CTVoQtqNdMX6tC7AxuwH056AIkVQ==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=t/fic7TdFx/CtsX9wBYfSqYYE9UWe+KVHeMevo6A0Sk=;
b=BMLDalKCR5Z9PLoKHA4syLUyNZgChW54GAJL4OlPincEiWrtCjyrYE78+fQ3kr620j9EV/fv3GOw16QHMjXndT3n3bezBgHPPS0shYPk0cfQ3T9vpyf8TtyTPnZkDzC3YNAPi+uat5sqs+UL/Td2T0uOkn7+th3pnXFKmDe92MAkBjOYQajKQ9yz4gAiA+xzteHtcsldgIZG9/+mOjpzggGEBioixKgpBvIij2iFeGoajn1XtwMSxgp625NVDg2lTvc3VhmjzRwnAAE0AYF1dYx66XczIWEmnWBFZXxYa4QnC+STihIHXDqFMxIZfBr3bZue5DZpi3eNeKqifJEFkA==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
23.83.223.169) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=t/fic7TdFx/CtsX9wBYfSqYYE9UWe+KVHeMevo6A0Sk=;
b=i0IL8abGJrnCpv3pwR0ujfRCdnJWlIQWZFTekHzKrGpN89j//MzZed6DMECLhmM8PDTfEoQPZozwHGXiy9LFPw0c+5NUvVmAlTgBepKOHoV20W5fw0CgOViToZnqHAgZrC9Hi3acwLSYkit3Wh41N7xbDl5lnW3JBI4RpX4AJRs=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=LBmqUMz/W3Yx1j3P923W0xQSw66H8x/MWWwjXS+v2wDhF6MXcwFMY/EGM/xE51K8irP8v0eMXM3D6PnHmndKVYK4e3WIquMOEF4kRGlaxOB4yWCGzGbqrpvg9mNBvVD+qjSP7/A80Jf0uFNxRx7zzUW0ga2KFW8NHUypz7E2rIXpF7bvfOphhMfU3b50ppoL5x7+XnByy7T/MyDCNaUnx2+ICXYBmr4Y58CbtThLlhUg8xXw6ePFzr5V76m5BaLFLBdiARahFmh8zac8a1/5HEMsrq3E7X37F+b56A5luQoNgoaXE6jkR0XAX8/yAwkVvmHhlYQ5wMqrdUS5KgvrkQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=t/fic7TdFx/CtsX9wBYfSqYYE9UWe+KVHeMevo6A0Sk=;
b=C7tEQVFZEhUqiKxHd26Ta+XFifhM1ByTVUyUYQBN6bCHT2Zy/tgMw1EMxCklnxyH7JS9ijClv/bC9yZakUhlAUvdsrpzPXqdcHwGmFF0fOPBXRVXxhWFy5sB9DW2UulEBa4N3nSRZcL+TPU3ZhiGC5PaOtByqqa3/p7bbLVf5s5JVlCPHLFRK7qTYvCZkciXFtX8/gO1pXll96Da+RyYP31jsS5uHijfx7QcnnUv809XT003kN6cO2NBl/dutStHinQnUC2n/h/RMlLHSuNHcsPWCDf7KIHQI3lXxFbg9JcT8kJ9Q7yLro9UStNcjnjDQM7xf/NL1g8xS0aEj4E+jQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
23.83.223.169) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
Authentication-Results: spf=pass (sender IP is 23.83.223.169)
smtp.mailfrom=cryptonector.com; dkim=pass (signature was verified)
header.d=cryptonector.com;dmarc=bestguesspass action=none
header.from=cryptonector.com;
Received-SPF: Pass (protection.outlook.com: domain of cryptonector.com
designates 23.83.223.169 as permitted sender)
receiver=protection.outlook.com; client-ip=23.83.223.169;
helo=slategray.cherry.relay.mailchannels.net; pr=C
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1698359290; a=rsa-sha256;
cv=none;
b=pQBstIQWXTsvcpsDBqmqTh+7E2KWjtDZ7Bgm4Pg0bREaaczlP76WchMYxIW78Y1FRJfKDM
QG9vR9dTu15Q2xRSRj5tRMRE+4PPQvZHMq0kMWob3QkpF61CjNjLOZatLxrKpvz3PzpITV
6nKhfYOxwYDNB+1PWlkhKX7r7yNZvm53sRb0DxwAYcfe8ZdXo00k+27ceLbHKkVH3m951r
2jHTSN0m5lq/1bG29QRLcKDOl0Tef6jI3kcks9TomfqzmH1SLQG4YtrfHpWMfkv/n17D8/
Vwf7ahPXIh/cw6kPfEDkUkZXIDvL6sJ2aItwQfWmtTrsI8LI6BWFJySasfP/vA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=mailchannels.net; s=arc-2022; t=1698359290;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=t/fic7TdFx/CtsX9wBYfSqYYE9UWe+KVHeMevo6A0Sk=;
b=8cOmkg79NjH+dBD8HoJYSygis05MAJv4HEsDjJv7QTwEHjwL0sn8Gj1K2R5N08ik0I4FuX
PZljWPmRu3ALu+/2QryuwxKM1rpiB17BZ938k/j2AclnDkkU5LqAdQu3xKI8gY8YJvNmpN
PBB2/Zi6h5cyePdDXU4RzVmqB6kQZGfY6zh7IJAgg26d+aJ1UJeawL8vlmzosWEzLsXBOG
UVqfBCTkAz8vbzkR/bsgi5y9J+9IKuAaDBm2dzNJc+Vkn5geki3/p0Ci2hSJtZpHJr6XGN
GsCQckjydKoF/Z7hfCNpvegaxTWLHcSFCVk3KFw3327uWUPM1HqnzOEyGeDgRw==
ARC-Authentication-Results: i=1; rspamd-86646d89b6-gx8j5;
auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Arch-Fumbling: 76dcdd7d54cdf8d8_1698359290142_289249341
X-MC-Loop-Signature: 1698359290142:4234428899
X-MC-Ingress-Time: 1698359290141
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com;
s=dreamhost; t=1698359289;
bh=t/fic7TdFx/CtsX9wBYfSqYYE9UWe+KVHeMevo6A0Sk=;
h=Date:From:To:Cc:Subject:Content-Type;
b=s4gxdTqNjPvzzh7raiAb2tjR6DaE6dp7MpxCdK1yRSmIFpGBncEhaYVLTexGPjv9k
lATsqlcGHsnHPrQ52Bm4CKLRrx8CESdNn2gBr2BjUhGDvmCvWJE8Bkx68pt0YAInNm
FTA0f4MASmOlwi38F0a+JWy41Fo/8R9t5yJuKm0rN8Zc9Dc0TXZn31ntW1vDMfO2oP
4CzzFXAyfwZBHCx+hHQ+AhI5rnDqdFSV6zZzQCmAPZKqRtYphj4o4ca1UlmDdjt78n
pB93Bt+L5YSw6re5tseeYGUNyX+KJELiE2MdbnEfaATtZFxFuVXh8SOb3ERZ++yRiL
HO60ugI3BrkXg==
Content-Disposition: inline
In-Reply-To: <202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SN1PEPF0002636B:EE_|SJ0PR01MB6447:EE_
X-MS-Office365-Filtering-Correlation-Id: a14f1b90-5dc0-409a-2af0-08dbd672d65a
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: gt/N+PP8+Hz8W+OFNq63r7IK3GReZM6js5SNRbpCX131Mk/oFPRGoqdL+58WV2mCHejxh7685+U+2PfXQbPdJJnpkxCj9GM6bwXd6MNmNQkibUazwo4dgsVqa5xJhyiBTUvy+6f0x4Ru/kq2h4Um3M+JgdpqHw1qNLeGS2tCAuTOGto2EZQHoCSX44leA5BeiJdQfWAYp8hMqW3r3D/fwD77kFecexQLxLgsHwrI7HtzdXVI0v28QXbZmf6d0FJtaVFBGIxu1fmU5n26DXV4DvDDE1+XbLpKRE41tjKzRnNKVr2rQ+D1KKpUc1nqElgsfIkIZi73xtulXSzfL0f7nUT2gwtaQrAfe4XXlVObG0pqiDBDhFOTCwytRTyzDMdiRPV/YSBjPzWdKOlBPVBJwfCjLtDywc0G/mOzGhk07cZBuPLg5jDwpDDCoWNBC8h3hkIasnclOxJz8ViRWaIPMY1T2L7GJtWkMjH8/hQJ0J7XG/bqbl0/TmrxH+Cbr4jqg+gn2aaK5bKIi3vu1HF6XGIeyb5+deCRtebxV2IwlNmJPcEY1RkAu2KHKZfZnap22mwPgaNPWnEoDTcEq++ASSOAVd7fWXHfO8zmmR26LXCBWc/MQQgQ++ViAyUCx54Bj7O1ZwKxR0RiA7PT8gMbVhmYQ49sdzL/LIxafIfVofa+uPlvBV+6Ot1mMIdKamhwPtKIechgQYa023vmQfik/A==
X-Forefront-Antispam-Report: CIP:23.83.223.169; CTRY:CA; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:slategray.cherry.relay.mailchannels.net;
PTR:slategray.cherry.relay.mailchannels.net; CAT:NONE;
SFS:(13230031)(4636009)(136003)(396003)(346002)(376002)(39860400002)(61400799006)(451199024)(48200799006)(64100799003)(33716001)(55016003)(86362001)(2906002)(5660300002)(83380400001)(356005)(336012)(7596003)(26005)(9686003)(6266002)(7636003)(956004)(498600001)(316002)(786003)(70586007)(6862004)(68406010)(8676002)(9576002)(4326008);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2023 22:28:11.0468 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a14f1b90-5dc0-409a-2af0-08dbd672d65a
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF0002636B.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR01MB6447
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <ZTrn9z3SIvlmMVWR@ubby21>
X-Mailman-Original-References: <CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
<202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
 by: Nico Williams - Thu, 26 Oct 2023 22:28 UTC

On Thu, Oct 26, 2023 at 05:57:37PM -0400, Ken Hornstein via Kerberos wrote:
> You know that. I know that. But remember: "if you're explaining,
> you're losing". When asked I can honestly say, "Kerberos is not
> a PKI" and that's good enough, but I can't say with a straight
> face, "This X.509 CA over here is not a PKI".

Have you considered the private sector?

More seriously, there must be an office that could evaluate the use of
online CAs that issue short-lived certificates using issuer keys stored
in HSMs (or software keys when the sub-CA has a very narrow
applicability, meaning very few systems will trust it). Such CAs would
be very useful, I'm sure, especially if you could dispense with
revocation checking at the relying party because a) the certificate will
be as short-lived as a Kerberos ticket, b) the online issuer will have
checked revocation for the longer-lived credential used to authenticate
to it.

> >Presumably OpenSSH CAs are a different story because they're not x.509? :)
>
> Strangely enough, I am not aware of anyone in the DoD that uses OpenSSH
> CAs (there probably are, I just don't know them). I could see it being
> argued both ways. The people I know who use OpenSSH are (a) using
> gssapi-with-mic like us, (b) just using passwords, or (c) using their
> client smartcart key as a key for RSA authentication and they call that
> "DOD PKI authentication". Again, you know and I know that isn't really
> using PKI certificates, but the people up the chain aren't really smart
> enough to understand the distinction; they see that you're using the
> smartcard and that's good enough for them.

But it is _a_ form of PKI, just not x.509/PKIX PKI, thus the smiley.

> >Don't you have OCSP responders?
>
> We _do_, it's just a pain to find an OCSP responder that can handle that
> many. If the official ones go offline that breaks our KDC so we run our
> own locally.

Ah, so what you mean is that you have a CRL replication problem.

Nico
--

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor