[Ach] Kerberos section, out of scope or desirable?

L. Aaron Kaplan kaplan at cert.at
Wed Jan 1 18:12:56 CET 2014

On Jan 1, 2014, at 5:55 PM, Alexander Wuerstlein <arw at cs.fau.de> wrote:

> Hello,
> after reading the current draft PDF, I've noticed Appendix E, "Further
> Research", where "We encourage input from the Internet community" is
> mentioned along with Kerberos. Since I am interested in working on a
> Kerberos section, I've read the TODO.txt file in the git repo, where it
> says, introduced in commit 5e4ce69dc4: "* Kerberos --> out of scope".
> Does 'out of scope' mean that Kerberos will not be discussed in a
> further version of the document?

"out of scope" was our designation for "out of scope for draft-version-1" (which we presented at the CCC).

So, yes! If you have some good input for Kerberos, please feel free!

> If so, what criteria exclude Kerberos
> from the scope of the document? It may be rarely used in private
> environments but it is a common occurence in businesses and other
> institutions.
> As for the contents of a Kerberos section, I would roughly include the
> following:
> - initial configuration of a MIT KDC, supported_enctypes limited to
>  aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96 and
>  camellia256-cts-cmac, camellia128-cts-cmac 
> - Mention interoperability concerns that might necessitate further
>  ciphers for "legacy" setups.
> - Suggest MIT defaults as sensible (but explicitly specified) defaults
>  for lifetimes
> - similarly for a MIT client: set a sensible list of enctypes as above.
> - disable Kerberos 4 (insecure and obsolete), discourage dns_lookup_kdc
>  (possible DoS, do you consider this a problem?)

Here is the source code:

--> please send us a pull request :)

> Later, more aspects can be included:
> - Configuration of MS ActiveDirectory, e.g. by referencing
>  http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx
>  and similar documents
> - Heimdal and GNU Shishi Kerberos implementations
> - suggest migration paths for setups with legacy DES, 3DES and RC4
>  principals, e.g. by forcing a password change for such principals
> Things that I would exclude (at least at first):
> - X.509/pkinit and SmartCard integration
> - LDAP/DB2 KDC backends
> - Kerberos client security (e.g. NFSv4 configuration)
> Ciao,
> Alexander Wuerstlein.
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140101/619e6fff/attachment.sig>

More information about the Ach mailing list