headers
Sam Hartman | 27 Jun 2012 15:52
Picon
Favicon

Question: Prefer to block on draft-ietf-krb-wg-kdc-model


Hi.
At this point in the process, there's a presumption that absent
consensus to change, the text currently in the draft will survive.

Unfortunately, we're in an annoying situation. I think we have a rough
consensus that the text in the draft is not what we want. I think Simo,
Nico, Leif, Sam and Jeff have indicated a desire to make changes. I
think Tom and Greg may also have indicated such a desire.
The presumption of consensus evaporates.

However, so far, we're not reaching rough consensus on any particular
change.

As chair, I need to ask: Would you prefer to block (possibly
indefinitely) on this issue rather than publishing as-is?  For this, one
word answers drawn from the set {yes, no} are preferred.  You can
explain, but I do need to poll the WG about whether this is worth
blocking the document.
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Leif Johansson | 28 Jun 2012 09:11
Picon
Gravatar

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model


On 06/27/2012 03:52 PM, Sam Hartman wrote:
> 
> 
> Hi. At this point in the process, there's a presumption that
> absent consensus to change, the text currently in the draft will
> survive.
> 
> Unfortunately, we're in an annoying situation. I think we have a
> rough consensus that the text in the draft is not what we want. I
> think Simo, Nico, Leif, Sam and Jeff have indicated a desire to
> make changes. I think Tom and Greg may also have indicated such a
> desire. The presumption of consensus evaporates.
> 
> However, so far, we're not reaching rough consensus on any
> particular change.
> 
> As chair, I need to ask: Would you prefer to block (possibly 
> indefinitely) on this issue rather than publishing as-is?  For
> this, one word answers drawn from the set {yes, no} are preferred.
> You can explain, but I do need to poll the WG about whether this is
> worth blocking the document.

I prefer not to block.
Permalink | Reply |
headers
Greg Hudson | 28 Jun 2012 17:06
Picon
Favicon

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model

On 06/27/2012 09:52 AM, Sam Hartman wrote:
> As chair, I need to ask: Would you prefer to block (possibly
> indefinitely) on this issue rather than publishing as-is?

I'd prefer to block, since I don't think it would mean blocking
indefinitely.  I think we can, at a minimum, achieve rough consensus
that marking 4.1.1.5-7 as optional is better than the current state.
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Tom Yu | 28 Jun 2012 17:09
Picon
Favicon

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model

Sam Hartman <hartmans-ietf <at> MIT.EDU> writes:

> Hi.
> At this point in the process, there's a presumption that absent
> consensus to change, the text currently in the draft will survive.
>
> Unfortunately, we're in an annoying situation. I think we have a rough
> consensus that the text in the draft is not what we want. I think Simo,
> Nico, Leif, Sam and Jeff have indicated a desire to make changes. I
> think Tom and Greg may also have indicated such a desire.
> The presumption of consensus evaporates.
>
> However, so far, we're not reaching rough consensus on any particular
> change.
>
> As chair, I need to ask: Would you prefer to block (possibly
> indefinitely) on this issue rather than publishing as-is?  For this, one
> word answers drawn from the set {yes, no} are preferred.  You can
> explain, but I do need to poll the WG about whether this is worth
> blocking the document.

I have a slight preference for blocking.

I'm still reviewing the discussion, but it seems that from what I've
read so far, the minimal change that I would be comfortable with (and
that we might reach consensus about) is removing the debated
attributes altogether.  We could easily add them back in a subsequent
version.  I dislike adding things that we know that people are very
likely not going implement in the way we specified.
_______________________________________________
(Continue reading)

Permalink | Reply |
headers
Nico Williams | 28 Jun 2012 17:18

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model

On Wed, Jun 27, 2012 at 8:52 AM, Sam Hartman <hartmans-ietf <at> mit.edu> wrote:
> As chair, I need to ask: Would you prefer to block (possibly
> indefinitely) on this issue rather than publishing as-is?  For this, one
> word answers drawn from the set {yes, no} are preferred.  You can
> explain, but I do need to poll the WG about whether this is worth
> blocking the document.

Block.  Or fix.  But do not publish as-is.  I'd be happy with removal
of the N-strikes-related attributes as a fix, and any related text.

Nico
--
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Sam Hartman | 28 Jun 2012 17:44
Picon
Favicon

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model

>>>>> "Nico" == Nico Williams <nico <at> cryptonector.com> writes:

    Nico> Block.  Or fix.  But do not publish as-is.  I'd be happy with removal
    Nico> of the N-strikes-related attributes as a fix, and any related text.

What attributes do you see as related to n-strikes?
As an individual I actually don't see any.
I see attributes that mostly seem to date back to things in the MIT
schema since before they had lockout, plus an attribute (failed auth
count) that we're quite certain is useless for n-strikes in its current
form.
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Nico Williams | 28 Jun 2012 19:01

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model

On Thu, Jun 28, 2012 at 10:44 AM, Sam Hartman <hartmans-ietf <at> mit.edu> wrote:
>>>>>> "Nico" == Nico Williams <nico <at> cryptonector.com> writes:
>
>    Nico> Block.  Or fix.  But do not publish as-is.  I'd be happy with removal
>    Nico> of the N-strikes-related attributes as a fix, and any related text.
>
> What attributes do you see as related to n-strikes?
> As an individual I actually don't see any.

To be precise I want the following attributes to be made explicitly
optional, or better: removed:

4.1.1.5.  principalNumberOfFailedAuthenticationAttempts
4.1.1.6.  principalLastFailedAuthentication
4.1.1.7.  principalLastSuccessfulAuthentication

I'd be OK with adding a locked attribute.

Nico
--
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Leif Johansson | 28 Jun 2012 20:35
Picon
Gravatar

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model


On 06/28/2012 07:01 PM, Nico Williams wrote:
> On Thu, Jun 28, 2012 at 10:44 AM, Sam Hartman
> <hartmans-ietf <at> mit.edu> wrote:
>>>>>>> "Nico" == Nico Williams <nico <at> cryptonector.com>
>>>>>>> writes:
>> 
>> Nico> Block.  Or fix.  But do not publish as-is.  I'd be happy
>> with removal Nico> of the N-strikes-related attributes as a fix,
>> and any related text.
>> 
>> What attributes do you see as related to n-strikes? As an
>> individual I actually don't see any.
> 
> To be precise I want the following attributes to be made
> explicitly optional, or better: removed:
> 
> 4.1.1.5.  principalNumberOfFailedAuthenticationAttempts 4.1.1.6.
> principalLastFailedAuthentication 4.1.1.7.
> principalLastSuccessfulAuthentication
> 
> I'd be OK with adding a locked attribute.

I'm ok removing them or making them optional. I believe that
introducing locking will entail a substantial rewrite of the
spec which I think is not worth the effort at this point. Maybe
next revision!
Permalink | Reply |
headers
Nico Williams | 28 Jun 2012 21:22

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model

On Thu, Jun 28, 2012 at 1:35 PM, Leif Johansson <leifj <at> mnt.se> wrote:
>> I'd be OK with adding a locked attribute.
>
> I'm ok removing them or making them optional. I believe that
> introducing locking will entail a substantial rewrite of the
> spec which I think is not worth the effort at this point. Maybe
> next revision!

I'm talking about a locked attribute with no special semantics to read
nor write.  It'd be deleting the principal to lock and re-creating the
principal to unlock, say, or deleting its keys and re-creating them,
or setting a disallow-tix flag, only, of course, simpler than that.
Speaking of which, I don't see that MIT krb5 attribute in the I-D
(disallow-tix).

Nico
--
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Jeffrey Hutzelman | 28 Jun 2012 22:19
Picon
Favicon

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model

On Thu, 2012-06-28 at 14:22 -0500, Nico Williams wrote:
> On Thu, Jun 28, 2012 at 1:35 PM, Leif Johansson <leifj <at> mnt.se> wrote:
> >> I'd be OK with adding a locked attribute.
> >
> > I'm ok removing them or making them optional. I believe that
> > introducing locking will entail a substantial rewrite of the
> > spec which I think is not worth the effort at this point. Maybe
> > next revision!
> 
> I'm talking about a locked attribute with no special semantics to read
> nor write.  It'd be deleting the principal to lock and re-creating the
> principal to unlock, say, or deleting its keys and re-creating them,
> or setting a disallow-tix flag, only, of course, simpler than that.
> Speaking of which, I don't see that MIT krb5 attribute in the I-D
> (disallow-tix).

It's 4.1.1.4, principalIsDisabled

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Nico Williams | 28 Jun 2012 22:47

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model

On Thu, Jun 28, 2012 at 3:19 PM, Jeffrey Hutzelman <jhutz <at> cmu.edu> wrote:
>> I'm talking about a locked attribute with no special semantics to read
>> nor write.  It'd be deleting the principal to lock and re-creating the
>> principal to unlock, say, or deleting its keys and re-creating them,
>> or setting a disallow-tix flag, only, of course, simpler than that.
>> Speaking of which, I don't see that MIT krb5 attribute in the I-D
>> (disallow-tix).
>
> It's 4.1.1.4, principalIsDisabled

That's what I get for not having done a case-insensitive search.

OK, so I'm for removing 4.1.1.5, 4.1.1.6, and 4.1.1.7.

Nico
--
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Jeffrey Hutzelman | 28 Jun 2012 20:33
Picon
Favicon

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model

On Thu, 2012-06-28 at 12:01 -0500, Nico Williams wrote:
> On Thu, Jun 28, 2012 at 10:44 AM, Sam Hartman <hartmans-ietf <at> mit.edu> wrote:
> >>>>>> "Nico" == Nico Williams <nico <at> cryptonector.com> writes:
> >
> >    Nico> Block.  Or fix.  But do not publish as-is.

Agree.

> To be precise I want the following attributes to be made explicitly
> optional, or better: removed:
> 
> 4.1.1.5.  principalNumberOfFailedAuthenticationAttempts
> 4.1.1.6.  principalLastFailedAuthentication
> 4.1.1.7.  principalLastSuccessfulAuthentication
> 
> I'd be OK with adding a locked attribute.

Agree.

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Sam Hartman | 28 Jun 2012 21:01
Picon
Favicon

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model

OK.  I *think* that everyone can live with removing the attributes and
making no other changes.

1) Is there anyone who objects strongly to that?

2) does anyone see a set of changes they personally would prefer to
removing the attributes that they think might be able to gain consensus?
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Simo Sorce | 29 Jun 2012 14:44
Picon
Favicon

Re: Question: Prefer to block on draft-ietf-krb-wg-kdc-model

On Thu, 2012-06-28 at 15:01 -0400, Sam Hartman wrote:
> OK.  I *think* that everyone can live with removing the attributes and
> making no other changes.

Sorry for being late, I was traveling this week.

> 1) Is there anyone who objects strongly to that?

I think the current proposal is better than the previous text.

> 2) does anyone see a set of changes they personally would prefer to
> removing the attributes that they think might be able to gain consensus?

I am not opposed to retaining them if made optional, but I have no
strong preference between making them optional and just removing them.

Simo.

--

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |

Gmane