> I believe that the WG consensus here was that this security issue only applies if the identity of the > KDC has not been verified. > > How about the following updated version of the paragraph? > > Therefore, unless the identity of the KDC has been verified, > anonymous PKINIT SHALL NOT be used with OTP > algorithms that require the OTP value to be sent to the KDC. In > addition, the security considerations should be carefully considered > before anonymous PKINIT is used with other algorithms such as those with short OTP > values. That works for me, as the use of "SHALL NOT" is clear and explicit. Thanks, --David > -----Original Message----- > From: Richards, Gareth > Sent: Friday, August 26, 2011 6:56 AM > To: hartmans-ietf@xxxxxxx; Black, David > Cc: gen-art@xxxxxxxx; ietf@xxxxxxxx; ietf-krb-wg@xxxxxxxxxxxxx; stephen.farrell@xxxxxxxxx > Subject: RE: Gen-ART review of draft-ietf-krb-wg-otp-preauth-18 > > > > > > > > [1] In section 6.1 at the top of p.28, I don't believe that the > > > use of lower case "recommended" is a strong enough warning about > > > the danger in using anonymous PKINIT because it exposes the OTP > > > value: > > > > > It is therefore recommended that anonymous PKINIT not be used > > > with OTP algorithms that require the OTP value to be sent to the > > > KDC and that careful consideration be made of the security > > > implications before it is used with other algorithms such as those > > > with short OTP values. > > > > > At a minimum, that warning should be in upper-case: > > > > > It is therefore RECOMMENDED that anonymous PKINIT not be used > > > with OTP algorithms that require the OTP value to be sent to the > > > KDC. In addition, the security implications should be carefully > > > considered before anonymous PKINIT is used with other algorithms > > > such as those with short OTP values. > > > > > Beyond that, the security issue in the first sentence may be > > > severe enough to justify a prohibition, so the following would > > > also be acceptable: > > > > > Therefore anonymous PKINIT SHALL NOT be used with OTP > > > algorithms that require the OTP value to be sent to the KDC. In > > > addition, the security implications should be carefully > > considered > > > before anonymous PKINIT is used with other algorithms such as > > > those with short OTP values. > > > > I definitely agree that we should use RFC 2119 language. > > Note that WG participants have questioned this text in last call for > > other reasons. > > Many implementations use anonymous pkinit in a mode where the KDC's > > certificate is verified--that is the client is anonymous but the KDC is > > identified through a PKI. > > WG participants believe (and I agree) that the security concern does > > not > > apply at all in this case. > > So, the text needs reworking. > > > > I believe that the WG consensus here was that this security issue only applies if the identity of the > KDC has not been verified. > > How about the following updated version of the paragraph? > > Therefore, unless the identity of the KDC has been verified, > anonymous PKINIT SHALL NOT be used with OTP > algorithms that require the OTP value to be sent to the KDC. In > addition, the security considerations should be carefully considered > before anonymous PKINIT is used with other algorithms such as those with short OTP > values. > > > --Gareth _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf