Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

snafu = Situation Normal All F%$*ed up


devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationKen Hornstein

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.35.1698362235.2263420.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=411&group=comp.protocols.kerberos#411

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!rocksolid2!news.neodome.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Thu, 26 Oct 2023 19:17:07 -0400
Organization: TNet Consulting
Lines: 33
Message-ID: <mailman.35.1698362235.2263420.kerberos@mit.edu>
References: <CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
<202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
<ZTrn9z3SIvlmMVWR@ubby21>
<202310262317.39QNH7Gf017221@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="10506"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=sK+PozbO;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=pmFO3xf3
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=hWmaQc7ge2btoZ7CUWPtW8zg1Fr+/vnOq050w8Ow+POntEpvLJREjjHT9DC5THV/33bM6uBFceyFJLznYy+sqJ33sYUDOMhD0ZUoDMNvvuuLyODEE8tpsehvZeie8C77G8toX7BJXhGyutQWbmm2OFi+LIQEMGmrqrPsKi0DVnfv59H8DaxRVNfkVg1wj8Cju3TCKFIogh60rFR/BT1L6/7EXQnnrsyW47rO3ivI0Zx2rRtjGBvIppH8XFVrkOLshzSEwDV1GYnmxCT4ZkqBa946suIte6M4sXA4VwJVHmTx23NuL7a/KEPq12ml7QqlTYmsUNX6+f7bOgoEWEu08Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=Cod720UXCCMNm1p3ZEHbiUT3RlboYHUcTJhaRl1Sab0=;
b=hCXqBiZruOz0W0CctEug1p3GX0COnXIzMLK7zhf6qd7SR0AynKsFEQeG6fFmoMTNO0KtsSE8EMQsYQ+Wo0Pk1Slj6TDLnM4j8JEq1gqXZQXqo95/jZ42o2SYctCViCtYjxn3Yd01d+Brcm4U0higBe7eEJwssR4MUnb9iSr6JurilYhWebGAVe2Uwpa54WztjANnFMHkNOROsO+JAC1gn/haPoefQ2q7W4Sz1cZqe+nzdArgzcS5D/a0xdLKJmphzfwHHqmSR9j6pDFiVAHzyc6kgxSPF+82vmtgeZMDLpPGJj1B78+rZRMdiA7WO2yaRFMU6aj/hr/xCd0wGNAW6w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=Cod720UXCCMNm1p3ZEHbiUT3RlboYHUcTJhaRl1Sab0=;
b=sK+PozbORzaV0dM/0kZePGDVjo6+25NmzqthsNHBK6hKRSE/Y76g1fX6d2GFzASjWYcgsTGAH1QRmBHIu2NNxyK3C7Y0L3Gg4ZQ1OJwmJ73Iqt2szu02blIqzT/OpYF/N3xBEbn1inklIC1G9ZM426Ya+wi5jWLLwiQPeKT7cW0=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : subject : in-reply-to : references : mime-version : content-type :
date; s=s2.dkim; bh=Cod720UXCCMNm1p3ZEHbiUT3RlboYHUcTJhaRl1Sab0=;
b=pmFO3xf3CZiDhsZO+6tWubcQqa5G6z5bBYoywkL5aLvdDPNE4aMeWaZqeT6sAMyHWLoS
bQnEVWauv+29D07CFCu+VmSvqkc8OtqjzNZg1MrgcNL/ZaaqOQqi6ABnT1RFKKIi/3Ys
99i89niqqv7bRzN7AZZq4pm32IcUDu+pwtGfvlEAWuKYS/KMQyQCCsr228ONt33WAbOb
A92bQbko9F6uAcgIDANCygNFiomsw86QDTo2AjttUk1V5AS2IKM11jp+N+MjLGRz/V1n
Zz+0VZlFTR47DB6+omBIH8dRevOssAzFi4CWA8UjmZipOscbsWyKONUy2IgCFNTjNAAj rw==
In-Reply-To: <ZTrn9z3SIvlmMVWR@ubby21>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MWH0EPF000971E6:EE_|BL3PR01MB6836:EE_
X-MS-Office365-Filtering-Correlation-Id: 576ae37b-5924-4da9-1424-08dbd679ad79
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: h74qfvsIt0cH64N/J5rDiHOo1LZ318xe3mAALWtXS3f2OVi3S0yVWZd39eUGdOqqHOB7WXDm1v6QBPAercr5jAeFyVOhZEptfK/r6fbCSPDnJ0Y8omZgLzRgzhCQ0LN/RhqxrZK0r7JFAri1a5X63PJQICk1gy8I8zqv/vZg26pmsVu+yY861XgnQQzm8u/T0QzEGGkYmbFNH9L4Hqm3eFAAsEIzw6WshkjmZNm3owjbuybbxqY5dlN8VpGoltz2M8k7GHqENfkEw843M0Fs+JlbvQwao7LAq5sVMv6UmA4VZIwIUwpNx4QcdBbYI8NAzNyLXNBRgcFWOoXmb8v+f4ln/DF5lqXuyjzeb/cLvDFf5DK7fvrwLrq7CLSOJV6waJJlex2FX2zy0vLMiWOkF1NsetiEWQLtE0cnRiagAdI69VBavIMFZF/+zbUBO0Jq/eF/oe74cnZYkIOEojjPFta3+nL5nuqGUB1jjqHTUFnoCOOcbRqCGQ5KAbMnl9ZqMnLzTu9Do7iw2hKYByt1w1/KH4KBKbrJOmjRqL4NKrR8X4B2Ypc7zYqQEGpbMBDxpWJr607glv7hH4/no5T+HsZPTpqaFKV798pG2rh6GlBsya42S6Px5QcbN0yQYLoKjeuI0y8hKVrdoULtRtSdo/GhwJTadFvHtyU7LIUQNW+4wCWeo2aBmVhZEKLyoOY5xq448py0/4OFMjisLalOQA==
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230031)(4636009)(396003)(376002)(346002)(136003)(39860400002)(64100799003)(48200799006)(61400799006)(451199024)(7636003)(956004)(336012)(426003)(26005)(1076003)(83380400001)(8676002)(34206002)(498600001)(356005)(2906002)(86362001)(316002)(786003)(5660300002)(70586007)(68406010);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2023 23:17:09.0337 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 576ae37b-5924-4da9-1424-08dbd679ad79
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: MWH0EPF000971E6.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR01MB6836
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202310262317.39QNH7Gf017221@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
<202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
<ZTrn9z3SIvlmMVWR@ubby21>
 by: Ken Hornstein - Thu, 26 Oct 2023 23:17 UTC

>On Thu, Oct 26, 2023 at 05:57:37PM -0400, Ken Hornstein via Kerberos wrote:
>> You know that. I know that. But remember: "if you're explaining,
>> you're losing". When asked I can honestly say, "Kerberos is not
>> a PKI" and that's good enough, but I can't say with a straight
>> face, "This X.509 CA over here is not a PKI".
>
>Have you considered the private sector?

Ha! My memory is the private sector is not perfect by any means and
has a DIFFERENT set of foibles.

>More seriously, there must be an office that could evaluate the use of
>online CAs that issue short-lived certificates using issuer keys stored
>in HSMs (or software keys when the sub-CA has a very narrow
>applicability, meaning very few systems will trust it). Such CAs would
>be very useful, I'm sure, especially if you could dispense with
>revocation checking at the relying party because a) the certificate will
>be as short-lived as a Kerberos ticket, b) the online issuer will have
>checked revocation for the longer-lived credential used to authenticate
>to it.

I am sure there is some kind of process, but it would probably be some
kind of trial program or research project that we could officially get
approved. The main issues I see there is getting funding for such a
project because that's not a small amount of work (I know the code is
written; it's writing the proposals in a way so that everyone involved
could understand what I am doing, why it would be useful, the security
implications, sitting around in meeting with the various people to move
the proposal up the chain, all of that grunt work) and like everyone
else here my plate is full so I'm not sure where that fits into the
schedule.

--Ken

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor