[Ach] Kerberos section, out of scope or desirable?
L. Aaron Kaplan
kaplan at cert.at
Wed Jan 1 18:12:56 CET 2014
On Jan 1, 2014, at 5:55 PM, Alexander Wuerstlein <arw at cs.fau.de> wrote:
> after reading the current draft PDF, I've noticed Appendix E, "Further
> Research", where "We encourage input from the Internet community" is
> mentioned along with Kerberos. Since I am interested in working on a
> Kerberos section, I've read the TODO.txt file in the git repo, where it
> says, introduced in commit 5e4ce69dc4: "* Kerberos --> out of scope".
> Does 'out of scope' mean that Kerberos will not be discussed in a
> further version of the document?
"out of scope" was our designation for "out of scope for draft-version-1" (which we presented at the CCC).
So, yes! If you have some good input for Kerberos, please feel free!
> If so, what criteria exclude Kerberos
> from the scope of the document? It may be rarely used in private
> environments but it is a common occurence in businesses and other
> As for the contents of a Kerberos section, I would roughly include the
> - initial configuration of a MIT KDC, supported_enctypes limited to
> aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96 and
> camellia256-cts-cmac, camellia128-cts-cmac
> - Mention interoperability concerns that might necessitate further
> ciphers for "legacy" setups.
> - Suggest MIT defaults as sensible (but explicitly specified) defaults
> for lifetimes
> - similarly for a MIT client: set a sensible list of enctypes as above.
> - disable Kerberos 4 (insecure and obsolete), discourage dns_lookup_kdc
> (possible DoS, do you consider this a problem?)
Here is the source code:
--> please send us a pull request :)
> Later, more aspects can be included:
> - Configuration of MS ActiveDirectory, e.g. by referencing
> and similar documents
> - Heimdal and GNU Shishi Kerberos implementations
> - suggest migration paths for setups with legacy DES, 3DES and RC4
> principals, e.g. by forcing a password change for such principals
> Things that I would exclude (at least at first):
> - X.509/pkinit and SmartCard integration
> - LDAP/DB2 KDC backends
> - Kerberos client security (e.g. NFSv4 configuration)
> Alexander Wuerstlein.
> Ach mailing list
> Ach at lists.cert.at
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Ach