[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Requested edits to kink

To: ietf-kink@xxxxxxxx
Subject: Requested edits to kink
From: Sam Hartman <hartmans-ietf@xxxxxxx>
Date: Tue, 06 Dec 2005 15:28:48 -0500
List-archive: <http://www.vpnc.org/ietf-kink/mail-archive/>
List-id: <ietf-kink.vpnc.org>
List-unsubscribe: <mailto:ietf-kink-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-kink@xxxxxxxxxxxxx
User-agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)



Hi.  I'd like to request authors to make the following edits based on
last call comments.  Please let me know if I missed anything.

If these edits can be submitted by close of business Thursday in the
US/Eastern time zone, then I can place Kink on the December 15 IESG
agenda.  I would need to know that a new version will be submitted by
15:30 US ET on Thursday.

1) The clarification regarding principal names in the u2u exchange
    plus the 1964 encoding of principal names as agreed on the list.

2) Drop section 10 as agreed on the list.

3) Change the text regarding skew errors How about: MUST return a
KRB_AP_ERR_SKEW.  The optional client's time in the KRB-ERROR SHOULD
be filled out.  The server MAY include a Kink cksum to protect the
error using the session key of the ticket.  If the server protects the
error, the client MAY compute the difference (in seconds) between the
two clocks based upon the client and server time contained in the
KRB-ERROR message.  The client SHOULD store this clock difference and
use it to adjust its clock in subsequent messages.  If the error is
not protected, the client MUST NOT adjust its clock because doing so
would allow an attacker to construct authenticators that can be used
to mount replay attacks.

Later, change the following: KINK implementations MAY make use of a
   KINK Cksum field when returning KINK_KRB_ERROR and the appropriate
   service key is available.  Especially in the case of clock skew
   errors protecting the error at the server creates a better user
   experience because it does not require clocks to be synchronized.
   However many Kerberos implementations do not make it easy to obtain
   the session key in order to protect error packets.


4) You may want to change requires to expects in the discussion of
   rekeying SAs.  Nico would like this change.  I don't think the
   discussion on the list is strong enough to require it but no
   objections have been raised.


Thanks for all the hard work,

--Sam

Follow-Ups:
- Re: Requested edits to kink
  - From: KAMADA Ken'ichi

Prev by Date: Re: Last Call: 'Kerberized Internet Negotiation of Keys (KINK)' to Proposed Standard (fwd)
Next by Date: Re: Requested edits to kink
Previous by thread: Re: Last Call: 'Kerberized Internet Negotiation of Keys (KINK)' to Proposed Standard (fwd)
Next by thread: Re: Requested edits to kink
Index(es):
- Date
- Thread