[39288] in Kerberos
Re: RFC 4121 & acceptor subkey use in MIC token generation
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Thu Oct 26 17:59:20 2023
Message-ID: <202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
To: kerberos@mit.edu
In-Reply-To: <ZTraV0714XV7hsxx@ubby21>
MIME-Version: 1.0
Date: Thu, 26 Oct 2023 17:57:37 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>> Unfortunately, ANOTHER one of the "fun" rules I live under is, "Thou
>> shall have no other PKI than the DoD PKI". And as much as I can
>> legitimately argue for many of the unusual things that I do, I can't get
>> away with that one; [...]
>
>A CA that issues short-lived certificates (for keys that might be
>software keys) is morally equivalent to a Kerberos KDC. You ought to be
>able to deploy such online CAs that issue only short-lived certs.
You know that. I know that. But remember: "if you're explaining,
you're losing". When asked I can honestly say, "Kerberos is not
a PKI" and that's good enough, but I can't say with a straight
face, "This X.509 CA over here is not a PKI".
>Presumably OpenSSH CAs are a different story because they're not x.509? :)
Strangely enough, I am not aware of anyone in the DoD that uses OpenSSH
CAs (there probably are, I just don't know them). I could see it being
argued both ways. The people I know who use OpenSSH are (a) using
gssapi-with-mic like us, (b) just using passwords, or (c) using their
client smartcart key as a key for RSA authentication and they call that
"DOD PKI authentication". Again, you know and I know that isn't really
using PKI certificates, but the people up the chain aren't really smart
enough to understand the distinction; they see that you're using the
smartcard and that's good enough for them.
>> We _do_ do PKINIT with the DoD PKI today; that is relatively
>> straightforward with the exception of dealing with certificate
>> revocation (last time I checked the total size of the DOD CRL package
>> was approximately 8 million serial numbers, sigh).
>
>Don't you have OCSP responders?
We _do_, it's just a pain to find an OCSP responder that can handle that
many. If the official ones go offline that breaks our KDC so we run our
own locally.
>One of the problems I'm finding is that SSHv2 client implementations are
>proliferating, and IDEs nowadays tend to come with one, and not one of
>them supports GSS-KEYEX, though most of them support gssapi-with-mic, so
>it makes you want to give up on GSS-KEYEX.
Right, part of the problem there is that people want to "use Kerberos
with ssh", and they don't understand the difference between gssapi-with-mic
and gss-keyex.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
