Make that - Thanks for the quick response. (off-by-one key error ...) Thanks, --David > -----Original Message----- > From: Black, David > Sent: Thursday, August 25, 2011 9:14 AM > To: Sam Hartman > Cc: Richards, Gareth; gen-art@xxxxxxxx; ietf@xxxxxxxx; ietf-krb-wg@xxxxxxxxxxxxx; > stephen.farrell@xxxxxxxxx; Black, David > Subject: RE: Gen-ART review of draft-ietf-krb-wg-otp-preauth-18 > > Hi Sam, > > Thanks for the quick response? I'll watch for the new text on anonymous PKINIT. > > > Why should we require that alg-ids be registered URIs? > > That's not my concern - the existing first paragraph of the IANA considerations section in the draft > requires IANA registration (or at least tries to) by pointing to the PSKC registry. My concern is > that if this is going to be done, it needs to be done right (duh!), and the current text is > insufficient. Please take the issue of whether to use IANA for this purpose up with Gareth and the WG. > > > I have no problem with the IETF registering its algorithms there, or us > > encouraging people to register them there, but it's a URI. What purpose > > is served by forcing registration? > > Hmm - more than one URI for the same algorithm might cause interoperability problems. > > Thanks, > --David > > > -----Original Message----- > > From: Sam Hartman [mailto:hartmans-ietf@xxxxxxx] > > Sent: Wednesday, August 24, 2011 10:04 PM > > To: Black, David > > Cc: Richards, Gareth; gen-art@xxxxxxxx; ietf@xxxxxxxx; ietf-krb-wg@xxxxxxxxxxxxx; hartmans- > > ietf@xxxxxxx; stephen.farrell@xxxxxxxxx > > Subject: Re: Gen-ART review of draft-ietf-krb-wg-otp-preauth-18 > > > > >>>>> <david.black@xxxxxxx> writes: > > > > > > > [1] In section 6.1 at the top of p.28, I don't believe that the > > > use of lower case "recommended" is a strong enough warning about > > > the danger in using anonymous PKINIT because it exposes the OTP > > > value: > > > > > It is therefore recommended that anonymous PKINIT not be used > > > with OTP algorithms that require the OTP value to be sent to the > > > KDC and that careful consideration be made of the security > > > implications before it is used with other algorithms such as those > > > with short OTP values. > > > > > At a minimum, that warning should be in upper-case: > > > > > It is therefore RECOMMENDED that anonymous PKINIT not be used > > > with OTP algorithms that require the OTP value to be sent to the > > > KDC. In addition, the security implications should be carefully > > > considered before anonymous PKINIT is used with other algorithms > > > such as those with short OTP values. > > > > > Beyond that, the security issue in the first sentence may be > > > severe enough to justify a prohibition, so the following would > > > also be acceptable: > > > > > Therefore anonymous PKINIT SHALL NOT be used with OTP > > > algorithms that require the OTP value to be sent to the KDC. In > > > addition, the security implications should be carefully considered > > > before anonymous PKINIT is used with other algorithms such as > > > those with short OTP values. > > > > I definitely agree that we should use RFC 2119 language. > > Note that WG participants have questioned this text in last call for > > other reasons. > > Many implementations use anonymous pkinit in a mode where the KDC's > > certificate is verified--that is the client is anonymous but the KDC is > > identified through a PKI. > > WG participants believe (and I agree) that the security concern does not > > apply at all in this case. > > So, the text needs reworking. > > > > > [2] In section 5, the first paragraph in the IANA considerations > > > is unclear, and following its reference to section 4.1, I don't > > > see any clarifying text there either. I think Sections 4.1 and > > > 4.2 need to say that the value of otp-algID is a URI obtained from > > > the PSKC Algorithm URI Registry, and the first paragraph in > > > section 5 should say that URIs for otp-algID are to be registered > > > in that registry, see RFC 6030. > > > > Why should we require that alg-ids be registered URIs? I.E. what is > > wrong with me using > > http://algorithms.painless-security.com/otp/best-thing-since-unsliced-bread > > (or a tag URI if you like) for my OTP algorithm? > > I have no problem with the IETF registering its algorithms there, or us > > encouraging people to register them them, but it's a URI. What purpose > > is served by forcing registration? _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf