IETF 87 - kitten Working Group Minutes ====================================== Location: Berlin, Germany - (InterContinental) Room: Schoeneberg 1/2 Time: Thursday, 1 August 2013, 15:20 - 16:50 CEST Co-Chairs: Sam Hartman Shawn Emery Josh Howlett Secretary: Simon Josefsson Scribe: Matt Miller Jabber Scribe: Rhys Smith Jabber Log: http://www.ietf.org/jabber/logs/kitten/2013-08-01.html Audio Recording: Action Items ============ Chairs: Poll the list to see if the OAuth specification should or should not have the GS2 text elided and submitted as an RFC. Chairs: Poll the list to see which proposals of the various cipher modes for aes-cts-hmac-sha2 are requested and explain the reasoning on why the mode was chosen. Chairs: Poll the list to see if there is interest/energy in pursuing the CAMMAC draft. Chairs: Gauge interest and ask for reviews of newly submitted drafts: draft-williams-kitten-generic-naming-attributes draft-williams-kitten-krb5-pkcross Conference Session ================== PARTICIPANT KEY: * AM - Alexey Melnikov * BK - Benjamin Kaduk (REMOTE) * JS - Jim Schaad * KI - Kevin Igoe * MA - Morteza Ansari * SC - Scott Cantor (REMOTE) * SE - Shawn Emery * SF - Stephen Farrell * SH - Sam Hartman * TY - Tom Yu (REMOTE) 0) Administrivia ------------------------------------ No bashing of agenda 1) draft-ietf-kitten-gssapi-extensions-iana ------------------------------------ Josh will continue to ping Alexey for updates. 2) draft-ietf-kitten-sasl-saml-ec ------------------------------------ 07-09 revisions have been made 07: GSS-API delegation section added 08: delegation header added 09: delegation identifier updatd to match updated ECP document 3) draft-ietf-krb-wg-kdc-model ------------------------------------ Now RFC 6880, thanks Leif! 4) draft-ietf-krb-wg-pkinit-alg-agility ------------------------------------ Updates will be made in the next week and a half: Update to make RFC 3766 and 6194 informative references Error code 82 needs to be reassigned, impact in deployed code unlikely 5) draft-ietf-kitten-iakerb ------------------------------------ * JS - I need to read through the two changes (in a readable format). I also need to read through the appendix that the MIT expectations are met. If I have the updates very soon, then I should be complete by Saturday, and you can issue WGLC after that. 6) draft-ietf-krb-wg-cammac ------------------------------------ * SH - I am surprised to see this submitted. While in the charter, it's been dead for a long time, and the current authors have not been active. How many have read a version of CAMMAC? (5 hands) How many have read this version of CAMMAC? (a couple of hands) !!ACTION!! - Need to take CAMMAC to the list to see if there's any interest, then possibly look into removing it from the WG if no interest. 7) SASL-GS2 Update ------------------------------------ * SH - Who is willing to help contribute to updating GS2? * SC - Will review and assist as needed. No code experience, though. * MA - Willing to help review. 8) OAuth Update ------------------------------------ * MA - We have a lot of services that are very interested in OAuth integration. While there is little interest in GS2 for my applications. I would recommend separating it from GS2 for now, and looking at it later. * SE - Do you need an RFC? Or are you looking for interest? * AM - Would it be quicker to update GS2? * SH - No. We need to do the security analysis, which will be tricky. Hum: Who would like the OAuth mech to proceed with GS2 text removed? (hmms) Hum: Who would prefer to wait for the GS2 update before proceeding to RFC? (silence) Hum: Who doesn't care or needs more information? (silence) !!ACTION!! -- Consensus for removing GS2 update from OAuth now. 1.9 draft-ietf-kitten-channel-bound-flag ------------------------------------ Consensus from the list was that the empty security context would be pursued. Updates have already been made. 1.10 draft-ietf-kitten-aes-cts-hmac-sha2 ------------------------------------ * TY - Kelley wrote up something Nico proposed for the short-plaintext case; not sure we actually had consensus for that particular approach * SH - I do believe we have consensus on the approach but as soon as the draft came out there were objections to the approach. This is a case where we need strong consensus to change, not consensus to update. * BK - There was no concrete reasons for supporting ciphertext readoning (SH - Not yet) * SH - If there is a belief that the draft does not accurately implement the proposal, then inform the text. When I reviewed the comments on this topic: - CTS was dropped quickly - This is drawn out of implementation complexity. Krb et al do not allow for short plain-text, while 3962 does. - Providing ciphertext expansion not go beyond 8 bytes is a requirement. When a particular message does not align, there are concerns if the expansion is beyond 8 bytes. Some have proposed that we continue to move forward, ignoring the rationale for consensus in the past. The chairs have discussed prior to the meeting, and that we need consensus to change, and not consensus to add an update. 1) Move to CTS 2) Change to CBC 3) Considered CTR mode? * SH - Does it make sense to have face-2-face time on this, given few Kerberos people present? (none from those present) * SH - (To Stephen Farrell) Do you have suggestions on how to move forward on this? * Stephen Farrel - I think it's better for you guys to manage it, but if you need me to take a look at it I can. * SH - I think it's more controversial, so I think you need to be involved. I think when participants understand * BK - We cannot find a record of the decision on the mailing list. * TY - We don't have documentation on the concerns with padding. * SH - If the current proposal's rationale is not relevant or understood, then I would certainly support removing this. But we should be conservative. * TY - There are recollections that it was a problem for MS, * KI - Is the objection the mechanism, or the text of the mechanism * SH - My understanding is that Kelly agrees with the proposal. * KI - The current text is very confusing. * SH - Take the proposals to the list, and ask those that brought the original proposals to the list to come back and explain what the original concerns were. 1.11 - draft-ietf-kitten-kerberos-iana-registries ------------------------------------ * SH - Anyone reviewed -02? (no hands) * TY - No outstanding issues I am aware of, except initial values (which i need to continue to work on) * SH - When can we expect an update so we can WGLC? * TY - Not sure about timing. I need help with initial values. * SH - Who is willing to help Tom with the initial values? (2 volunteers - Sam Hartmann and Josh Howlett) 1.12 - New Drafts ------------------------------------ * SE - Has anyone read the drafts? (none) * SH - The chairs would be willing to have a presentation (who is not a chair). But until people read them, it is very difficult to adopt them. * BK - I only skimmed, but I feel they felt short and did not provide enough information. Open Mic ------------------------------------ No one came forward. ============ Session Over