I have a last-call comment about the KDC-generated nonce used in 4-pass
mode. I would like the text in section 3.2 changed from:
This nonce string MUST be as long as the longest key length of
the symmetric key types that the KDC supports and MUST be chosen
randomly.
to:
This nonce string MUST contain a randomly chosen component at
least as long as the armor key length.
This change was previously discussed in the working group and appears to
be non-controversial there; see
https://lists.anl.gov/pipermail/ietf-krb-wg/2011-August/009549.html and
replies by Sam, Gareth, and Henry.
A brief justification: this change will allow KDCs to encode a timestamp
into the nonce, allowing them to determine recentness of PA-OTP-REQUESTs
without using cookies. A KDC can still use cookies or a replay cache to
ensure the non-replay of PA-OTP-REQUESTs if desired. The client key
used to encrypt the nonce is always of the same enctype as the armor
key, so there is no need to refer to other key types supported by the
KDC.
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf