Hello, I revised my TLS-KDH draft to include comments from this group. Thanks!
The changes can be summarised as: * Integration with "normal" X.509 certificates; client may use krb5 certificate * Kerberos Ticket as X.509 pubkeyinfo; Authenticator as signature mechanism * Define TLS-standardised hashes as ChecksumTypes for use in an Authenticator * Moved TicketRequestFlags to a TLS Extension; negotiation with min/max flags * Taken out protocol-bound DH; this saves about 75% of the complexity * Pre-master secret now incorporates Kerberos session key and DH shared secret * Added descriptions of how to support backend servers in Ticket AuthData I am aware that embedding Kerberos in an X.509 certificate is uncommon; but it simplifies the rest incredibly, and suddenly everything "clicks" smoothly into the rest of TLS. I therefore think this form of "tunneling" certifying information is worth considering. Is this something that could be discussed at IETF 95? Cheers, -Rick > A new version of I-D, draft-vanrein-tls-kdh-02.txt > has been successfully submitted by Rick van Rein and posted to the > IETF repository. > > Name: draft-vanrein-tls-kdh > Revision: 02 > Title: TLS-KDH: Kerberos + Diffie-Hellman in TLS > Document date: 2016-03-11 > Group: Individual Submission > Pages: 23 > URL: > https://www.ietf.org/internet-drafts/draft-vanrein-tls-kdh-02.txt > Status: https://datatracker.ietf.org/doc/draft-vanrein-tls-kdh/ > Htmlized: https://tools.ietf.org/html/draft-vanrein-tls-kdh-02 > Diff: https://www.ietf.org/rfcdiff?url2=draft-vanrein-tls-kdh-02 > > Abstract: > This specification defines a TLS message flow with Kerberos-based > (mutual) authentication, binding in Elliptic-Curve Diffie-Hellman to > achieve Forward Secrecy for the session. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
