Telechat Review of draft-josefsson-kerberos5-starttls-
review-josefsson-kerberos5-starttls-secdir-telechat-nystrom-2010-02-02-00

This is a follow-up to the review I made back in December on version
-07 of this document.

Simon has implemented all the changes I proposed (and more!) and I
have only one comment on this version, pertaining to the new text in
Section 5. I cannot judge the validity of the statement that "Many
client environments [presumably the ones that this protocol targets]
do not have secure long-term storage, which is required to validate
certificates", but assuming this statement is true, then, for clarity,
I would suggest changing the 2nd and 3rd paragraph of the section to:

"
A goal for the protocol described in this memo is that it should be as
easy to implement and deploy on clients as support for UDP/TCP. Since
many client environments do not have secure long-term storage (and
server certificate validation requires some form of long-term
storage), the Kerberos V5 STARTTLS protocol does not require clients
to verify server certificates. If server certification had been
required, then environments with constrained clients such as those
mentioned would be forced to disable TLS; this would arguably be worse
than TLS without server certificate validation as use of TLS, even
without server certificate validation, protects against some attacks
that Kerberos V5 over UDP/TCP do not. For example, even without server
certificate validation, TLS does protect against passive network
sniffing aimed at tracking Kerberos service usage by a given client.

Note however that use of TLS without server certificate verification
opens up for a range of active attacks such as man-in-the-middle.
"

Best,
-- Magnus