Minutes for KITTEN at IETF-92

Meeting Minutes Common Authentication Technology Next Generation (kitten) WG
Title Minutes for KITTEN at IETF-92
State Active
Other versions plain text
Last updated 2015-04-01

Meeting Minutes

   IETF 92 - kitten Working Group Minutes

Location: IETF 92, Dallas, TX, US (Fairmont Dallas)
Room: Far East
Time: 2015-03-27 1150-1320

  Ben Kaduk
  Matt Miller
  Shawn Emery (really outgoing this time)
  Jim Schaad

  Alexey Melnikov

Action Items

1) draft-ietf-kitten-rfc4402bis
   * Shawn Emery to submit new draft, but may not be until end
     of May 2015

2) draft-ietf-kitten-rfc6112bis
   * Shawn Emery to submit new draft, but may not be until end
     of May 2015

3) draft-ietf-kitten-rfc5653bis
   * Chairs to take discussion on Java Stream API to list

4) draft-josefsson-kitten-gs2bis / draft-josefsson-sasl-tls-cb
   * Chairs to work on draft "liaison statement" to TLS WG about
     the need for a functional "tls unique"

5) draft-ietf-krb-wg-pkinit-alg-agility
   * Bill Mills to revive missing edits on the mailing list

6) Non-WG drafts
   * Chairs to discuss how/when to call for adoption of drafts.

Conference Session

1.   Preliminaries (5 min)

2.   Active WG items (20 min)

Chairs briefly review the status of each document, and discuss
any open issues and/or recent comments on each.

2.1  CAMMAC        draft-ietf-kitten-cammac

2.2  GSS-Loop      draft-ietf-kitten-gss-loop

2.3  SASL/OAuth    draft-ietf-kitten-sasl-oauth

2.4  4402 Update   draft-ietf-kitten-rfc4402bis

Shawn Emery will submit new draft as soon as he gets access to
the file.

2.5  6112 Update   draft-ietf-kitten-rfc6112bis

Shawn Emery will do it but may take until the end of May

2.6  5653 Update   draft-ietf-kitten-rfc5653bis

Nico Williams thinks that the stream stuff can be removed.  The
GSI folks uses a self framing method with TLS, one could have
used the JAVA streaming that way but not as specified.

Chairs will take this discussion to the list.

2.7  AES/SHA2      draft-ietf-kitten-aes-cts-hmac-sha2

2.8  PKINIT-Fresh  draft-ietf-kitten-pkinit-freshness

2.9  SASL-SAML-EC  draft-ietf-kitten-sasl-saml-ec

2.10 IAKERB        draft-ietf-kitten-iakerb

Nico thinks we should have a mechanism attribute which states
that the mechanism might not succeed.  There are some
applications which need to avoid this state, i.e. they must
always succeed.

2.11 Auth-Ind      draft-ietf-kitten-krb-auth-indicator

2.12 GS2 Update    draft-josefsson-kitten-gs2bis

Need to get a new channel binding (e.g.,
draft-josefsson-sasl-tls-cb) until TLS session hash fix gets
rolled out.

Nico says that you need to have the session hash from TLS to be

This will also be necessary for the Token Binding WG
as well.

Need to have the chairs draft a message asking for changes from
the TLS working group to get real channel bindings.

2.13 IANA-reg      draft-ietf-kitten-gssapi-extensions-iana

Tom Yu believes he can get it done in one or two meetings
cycles, but needs help getting reviews done.

2.14 Channel Bound draft-ietf-kitten-channel-bound-flag

Nico Williams is interested in moving this forward, but does
not have cycles for this.  He needs help to get the state
swapped back in. Simo Sorce from the jabber room would like to
assist with this.

2.15 PKINIT-alg    draft-ietf-krb-wg-pkinit-alg-agility

Need to revive the one missing edit back to the list and Bill
Mills can finish with the edits.

3.   Kerberos PAD (10 minutes)

Ben Kaduk discussed use cases and requests seen by Simo that
motivate reviving the Kerberos PAD draft.

Nico Williams says this is starting to look like SIDS - NFS
people might like this

Group and user identification numbers need to be scoped correctly.

Will be crossing name space boundaries when you cross realms

Shawn Emery would also like a GSS-API interface

Nico Williams says you should be able to get a smaller ticket
from a service in exchange for the large ticket with all of
your data in it.

Stephen Farrel says that we should check with Microsoft to see
if any IPR issues still apply.

Nico Williams states that if inclusion of POSIX information is
covered by IPR, this whole effort is probably dead.

4.   Deprecating old Kerberos encryption types (10 minutes)

Ben Kaduk presented draft-kaduk-kitten-des-des-des-die-die-die

Kenny Patterson asks about key strengths.  The key values
could either be randomly generated or derived from passwords.
If derived from passwords, biases in RC4 is the least of your
attack in these issues.
Shawn Emery says that some of the newer mechanisms replace
password derived key generation is in stream.

Bill Mills says that elimination of Windows XP and 2003 servers
by the PCI compliance enforcement.

5. Kerberos Service Discovery

Ben Kaduk talked about draft-mccallum-kitten-krb-service-discovery.

Nico supports the draft as does Simo Sorce.

6.   Extra round trips in Kerberos (10 minutes)

Nico will present draft-williams-kitten-krb5-extra-rt

Shawn Emery agrees this would be helpful.  

7.   GSS-only Kerberos encryption types (10 minutes)

Nico Williams talked about this proposal to bring in, e.g., GCM
mode for improved performance

Ben Kaduk notes that there are several encryption type registry
entries with strong restrictions on usage context.

8.   PKCROSS (10 minutes)

Nico Williams talked about draft-williams-kitten-krb5-pkcross
and the various alternate proposals which have been made.

9.   GSS generic naming attribues (10 minutes)

Nico Williams talked about

10.  Open mic (5 min)

Nico Williams regarding the registry - we may be able to drop a
couple of these documents and go directly to IANA expert review on

Chairs poll the room to see how many of the non-WG drafts
people have read, in preparation for a call for adoption.
Poor showing in the room-- generally the same 3 or 4 individuals.

Chairs need to discuss how and when to call for adoption on some
or all of the non-WG documents.