Last Call Review of draft-josefsson-kerberos5-starttls-

Request Review of draft-josefsson-kerberos5-starttls
Requested rev. no specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2009-12-24
Requested 2009-12-11
Authors Simon Josefsson
Draft last updated 2009-12-24
Completed reviews Secdir Last Call review of -?? by Magnus Nystrom
Secdir Telechat review of -?? by Magnus Nystrom
Assignment Reviewer Magnus Nystrom 
State Completed
Review review-josefsson-kerberos5-starttls-secdir-lc-nystrom-2009-12-24
Review completed: 2009-12-24


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document defines a new Kerberos extension to allow Kerberos
protocol runs over TLS.

I do not have any general issues with this document but a few

Section 1: "The TLS protocol has been studied by many parties.  In
some threat models, the designer prefer to reduce the number of
protocols that can hurt the overall system security if they are
compromised." This statement seems to me like a strange reason to
motivate this work - Kerberos is equally well studied (at least) as
TLS and this memo does not reduce the number of protocols in the
system (c.f. the recent TLS renegotiation vulnerability)

Section 3: In the packet flow, why are the first two Kerberos
exchanges ([0x70000000 & STARTTLS-bit] and [0x00000000]) wihtin square
brackets? Is it because they're seen as a separate protocol, or some
other reason? A clarification would be helpful.

Section 5: "Use of TLS, even without server certificate validation,
protects against some attacks that Kerberos V5 over UDP/TCP do not.
Requiring server certificates to be used at all times would enable
attacks in those situations": a) It would be useful to give examples
of attacks that unauthenticated TLS protects against that Kerberos V5
does not protect against. b) Last sentence is ambigious - if server
certs are required and the client verifies them I do not see what
attacks would be enabled. I assume the last sentence intends to say
that requiring server certs to be used when clients cannot validate
will enable some attacks but I am not sure.

Section 5: "When clients have the ability, they need to be able to
validate the server certificate" I suggest rephrasing to: "When
clients have the ability, they MUST validate the server certificate"
(or at least SHOULD).

-- Magnus