> > Why should we require that alg-ids be registered URIs? > > That's not my concern - the existing first paragraph of the IANA > considerations section in the draft requires IANA registration (or at > least tries to) by pointing to the PSKC registry. My concern is that > if this is going to be done, it needs to be done right (duh!), and the > current text is insufficient. Please take the issue of whether to use > IANA for this purpose up with Gareth and the WG. > > > I have no problem with the IETF registering its algorithms there, or > us > > encouraging people to register them there, but it's a URI. What > purpose > > is served by forcing registration? > > Hmm - more than one URI for the same algorithm might cause > interoperability problems. > Some form of identifier will be required for the otp-algID in the PA-OTP-CHALLENGE and the PA-OTP-REQUEST and from what I remember about when this was first discussed, it was agreed that it would make sense to use the registry of identifiers already being established for PSKC rather than produce a duplicate one. My assumption was that a registry would be required to ensure that the URIs were unique. --Gareth > > > -----Original Message----- > > From: Sam Hartman [mailto:hartmans-ietf@xxxxxxx] > > Sent: Wednesday, August 24, 2011 10:04 PM > > To: Black, David > > Cc: Richards, Gareth; gen-art@xxxxxxxx; ietf@xxxxxxxx; ietf-krb- > wg@xxxxxxxxxxxxx; hartmans- > > ietf@xxxxxxx; stephen.farrell@xxxxxxxxx > > Subject: Re: Gen-ART review of draft-ietf-krb-wg-otp-preauth-18 > > > > >>>>> <david.black@xxxxxxx> writes: > > > > > > > [1] In section 6.1 at the top of p.28, I don't believe that the > > > use of lower case "recommended" is a strong enough warning > about > > > the danger in using anonymous PKINIT because it exposes the OTP > > > value: > > > > > It is therefore recommended that anonymous PKINIT not be > used > > > with OTP algorithms that require the OTP value to be sent to > the > > > KDC and that careful consideration be made of the security > > > implications before it is used with other algorithms such as > those > > > with short OTP values. > > > > > At a minimum, that warning should be in upper-case: > > > > > It is therefore RECOMMENDED that anonymous PKINIT not be > used > > > with OTP algorithms that require the OTP value to be sent to > the > > > KDC. In addition, the security implications should be carefully > > > considered before anonymous PKINIT is used with other > algorithms > > > such as those with short OTP values. > > > > > Beyond that, the security issue in the first sentence may be > > > severe enough to justify a prohibition, so the following would > > > also be acceptable: > > > > > Therefore anonymous PKINIT SHALL NOT be used with OTP > > > algorithms that require the OTP value to be sent to the KDC. In > > > addition, the security implications should be carefully > considered > > > before anonymous PKINIT is used with other algorithms such as > > > those with short OTP values. > > > > I definitely agree that we should use RFC 2119 language. > > Note that WG participants have questioned this text in last call for > > other reasons. > > Many implementations use anonymous pkinit in a mode where the KDC's > > certificate is verified--that is the client is anonymous but the KDC > is > > identified through a PKI. > > WG participants believe (and I agree) that the security concern does > not > > apply at all in this case. > > So, the text needs reworking. > > > > > [2] In section 5, the first paragraph in the IANA > considerations > > > is unclear, and following its reference to section 4.1, I don't > > > see any clarifying text there either. I think Sections 4.1 and > > > 4.2 need to say that the value of otp-algID is a URI obtained > from > > > the PSKC Algorithm URI Registry, and the first paragraph in > > > section 5 should say that URIs for otp-algID are to be > registered > > > in that registry, see RFC 6030. > > > > Why should we require that alg-ids be registered URIs? I.E. what is > > wrong with me using > > http://algorithms.painless-security.com/otp/best-thing-since- > unsliced-bread > > (or a tag URI if you like) for my OTP algorithm? > > I have no problem with the IETF registering its algorithms there, or > us > > encouraging people to register them them, but it's a URI. What > purpose > > is served by forcing registration? _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf