From: "Nico Williams" Received: from PCH.mit.edu (pch.mit.edu [18.7.21.50]) by krbdev.mit.edu (Postfix) with ESMTPS id 8C326407BA; Fri, 26 Mar 2021 12:52:06 -0400 (EDT) Received: from PCH.MIT.EDU (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.14.7/8.12.8) with ESMTP id 12QGq5Ji012505; Fri, 26 Mar 2021 12:52:05 -0400 Received: from outgoing-exchange-5.mit.edu (OUTGOING-EXCHANGE-5.MIT.EDU [18.9.28.59]) by PCH.mit.edu (8.14.7/8.12.8) with ESMTP id 12QGfTpr011114 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Fri, 26 Mar 2021 12:41:29 -0400 Received: from oc11exedge1.exchange.mit.edu (OC11EXEDGE1.EXCHANGE.MIT.EDU [18.9.3.17]) by outgoing-exchange-5.mit.edu (8.14.7/8.12.4) with ESMTP id 12QGfPAj019498 for ; Fri, 26 Mar 2021 12:41:29 -0400 Received: from oc11expo9.exchange.mit.edu (18.9.4.14) by oc11exedge1.exchange.mit.edu (18.9.3.17) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 26 Mar 2021 12:41:02 -0400 Received: from oc11exhyb2.exchange.mit.edu (18.9.1.98) by oc11expo9.exchange.mit.edu (18.9.4.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 26 Mar 2021 12:41:09 -0400 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (104.47.74.42) by oc11exhyb2.exchange.mit.edu (18.9.1.98) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 26 Mar 2021 12:41:09 -0400 Received: from MW4PR03CA0175.namprd03.prod.outlook.com (2603:10b6:303:8d::30) by MN2PR01MB5709.prod.exchangelabs.com (2603:10b6:208:114::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.25; Fri, 26 Mar 2021 16:41:08 +0000 Received: from CO1NAM11FT012.eop-nam11.prod.protection.outlook.com (2603:10b6:303:8d:cafe::67) by MW4PR03CA0175.outlook.office365.com (2603:10b6:303:8d::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.28 via Frontend Transport; Fri, 26 Mar 2021 16:41:08 +0000 Received: from black.elm.relay.mailchannels.net (23.83.212.19) by CO1NAM11FT012.mail.protection.outlook.com (10.13.175.192) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Fri, 26 Mar 2021 16:41:07 +0000 Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D63997E2990; Fri, 26 Mar 2021 16:41:06 +0000 (UTC) Received: from pdx1-sub0-mail-a30.g.dreamhost.com (100-96-27-144.trex.outbound.svc.cluster.local [100.96.27.144]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 62A7F7E2F62; Fri, 26 Mar 2021 16:41:06 +0000 (UTC) Received: from pdx1-sub0-mail-a30.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.27.144 (trex/6.1.1); Fri, 26 Mar 2021 16:41:06 +0000 Received: from pdx1-sub0-mail-a30.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a30.g.dreamhost.com (Postfix) with ESMTP id 216D17E437; Fri, 26 Mar 2021 09:41:06 -0700 (PDT) Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a30.g.dreamhost.com (Postfix) with ESMTPSA id 977FB7E41A; Fri, 26 Mar 2021 09:41:05 -0700 (PDT) Arc-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kt/snrKJ1jT1LFIR0afZiKQRFh0PulRM6kgfCaDOgj65n+XD5Ry6/cQDmHzGkNMO3Gb3SeIG8xGxujeBU2gH/XXuN/qSIcp+hkbqZEc6OcGQmOpTQfs7Bx6NIRbRw2d1xNU2Dqa6h8uZrzUqWAZbrVPAtS0O3GFCDwFd0YPU26hgIhtZn3i91Ax0NPq/vN6O4caot9kK2Kq6+43nV9Cvya5uMSn6UfoZsTMjkp+99om/CG8CvmKJzCxGPe9AL92aQpC1HhWYh82q/gZmcEOU9Ktrjx+PlrS1z2d42bvphXy/FCMMHUxtl0nGWgvo1uGY5qh8o1ozYV2gcgakg3oNGw== X-Forefront-Antispam-Report: CIP:23.83.212.19; CTRY:CA; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:black.elm.relay.mailchannels.net; PTR:black.elm.relay.mailchannels.net; CAT:NONE; SFS:(4636009)(376002)(39860400002)(136003)(396003)(346002)(34206002)(9686003)(55016002)(26005)(316002)(498600001)(6966003)(2906002)(786003)(86362001)(9576002)(4744005)(33656002)(1076003)(336012)(8676002)(6266002)(956004)(68406010)(7636003)(83380400001)(7596003)(33716001)(5660300002)(356005)(70586007); DIR:OUT; SFP:1102; X-MS-Publictraffictype: Email X-Microsoft-Antispam-Message-Info: kIwHY5GPzRUMruTCjii0/cz84sEuLET5ZHsQdsE4L8ziDxkF8JXpvDo27rxc/PQsa51CL4gysnaO1sUCL0k07KyX1UXmlR9gc4QWIYLAL+vASE+8yfxUAfXzMhF6zJCamBAnmvN3zdOTbkwnL9eYWsbpCbeYnUW6O5X6K3vUEiF/lqb8WaeWGRD2yy+LNQ6O/Z8D42MyapnI6xqdTWHJI+tMyaWAKyFPPFJjV3atmTt3fi/IefeeOJU/ny/W5bB7zUIwNmYvhQVNvs6OgG1vaGkesGHZEJSFMzcM0jlftIRZoxWg784IDE0LXf7jtWQ3BWcCteKf1YxvPONuvjYkLuG5Xlm3HEGV6umuOkABwqNTj9x3v/sVQhUBhwWjXbDP56WQxHKD8UEvCCk5grUWQcYZUFlGwl7rk0tU3hZtrA6lgq3DWaXQmlKr0ajUsrl2EdcI91eQK4kpo03DURvWON1b3N4v1b5n9bXIVO2WNZv0PEu+z+m0YxO5W/1jZHvaPdPxIjWK3YL3nIszD0FX972MpVqNMSNQE/AAN4oQwnHakCXup+IkDNTwVki2N2Dx X-Mailman-Version: 2.1.6 X-Microsoft-Antispam: BCL:0; Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NxLZg1X6b3ocP5k6tNA+B2gyezIcgCpGoF/wfChHWGM=; b=LcovmwwVmMROYqUwE1NwpBXYc0ETzQam30dItDFnsV5om/gexKdizESDRMh4ImucpQz5bF+wDpEmW0MHjYjYmGnplCPkmCUx5PXYjhizm1ZJa7j+zJKkXVGm2Gj5GaXkUu6Y1uP/A7BT3d+0MJ00OaW7pIMkszheafI4I/Srr9QYJWzSuWUA4V6DyBXc1vlFXFSla23a/K3U9Hw/sMA65uejm+ZDcb6WQ4zyI+JuHvhBDoP2ZwUUNH6c2Gn8xJkxvN0eDM4sXcExdSylL1mVVVjsI249LZvsLmIP7u5lvIuW1prDwq5XYjLH1V7z/Q2ZG6+VBPVL6VbdrQS4VBqwlw== X-MC-Loop-Signature: 1616776866714:2445349818 X-Originatororg: mitprod.onmicrosoft.com X-MS-Exchange-Senderadcheck: 0 X-MS-Office365-Filtering-Correlation-ID: b68fe1a6-d8bc-4ed4-bf38-08d8f075f4a5 X-MS-Exchange-Crosstenant-ID: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b To: krb5-bugs@mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-MS-Exchange-Transport-Forked: True X-Mailman-Approved-At: Fri, 26 Mar 2021 12:52:03 -0400 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailchannels-Auth-ID: dreamhost X-MS-Exchange-Crosstenant-Authas: Anonymous Authentication-Results: spf=pass (sender IP is 23.83.212.19) smtp.mailfrom=cryptonector.com; mit.edu; dkim=pass (signature was verified) header.d=cryptonector.com;mit.edu; dmarc=bestguesspass action=none header.from=cryptonector.com; X-RT-Incoming-Encryption: Not encrypted Date: Fri, 26 Mar 2021 11:41:03 -0500 X-MS-Exchange-Crosstenant-Authsource: CO1NAM11FT012.eop-nam11.prod.protection.outlook.com Precedence: list Received-SPF: Pass (protection.outlook.com: domain of cryptonector.com designates 23.83.212.19 as permitted sender) receiver=protection.outlook.com; client-ip=23.83.212.19; helo=black.elm.relay.mailchannels.net; X-MS-Oob-TLC-Oobclassifiers: OLM:8882; MIME-Version: 1.0 Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NxLZg1X6b3ocP5k6tNA+B2gyezIcgCpGoF/wfChHWGM=; b=IvZhdcb3QOmzQ9y4jV/AWSrNzA8Au19hD5TIFzLjkCaDLZmr779rxx3eMNwmKecmA6kpdEEV2RJMC4LaKqVGCWDDJ949ckFB1c9ga2SpGxyhbw0cOwLmtsEdhUwE2HqwvUKKaTUUNHHPSwTEFXo/NlVattle42lnCQ4NqCQ3ThU= Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:mime-version:content-type; s= cryptonector.com; bh=0arxgo24nKmNcvYXj6rOu1RoKyk=; b=dssVdmbPR+G oZEMtkemzs3ueXcMtbGkQf0MSY2vMfscaC8ud8xEJe1mcpObhfn4LDqBPHF5iSJE kQzxuD20Hn/kSFjKoXHkT0MH2cC5okLPsnIqkuBb/UeC2gusVwNU3DaYRchOePk4 J1LKs16v2iJHC20IsN/N8ZZDXe3x8f6g= X-MS-Exchange-Crosstenant-Network-Message-ID: b68fe1a6-d8bc-4ed4-bf38-08d8f075f4a5 X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr Content-Disposition: inline Message-ID: <20210326164102.GU4787@localhost> X-MS-Exchange-Crosstenant-Fromentityheader: Internet From krb5-bugs-incoming-bounces@PCH.mit.edu Fri Mar 26 12:52:06 2021 Subject: PKINIT client cert notAfter has no effect on ticket endtime, but should X-Mailchannels-Senderid: dreamhost|x-authsender|nico@cryptonector.com X-MC-Ingress-Time: 1616776866714 X-Battle-Spot: 1eac4b622b2ef3e5_1616776866714_118470852 content-type: text/plain; charset="utf-8" X-MC-Relay: Neutral User-Agent: Mutt/1.9.4 (2018-02-28) X-Eoptenantattributedmessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 Return-Path: X-MS-Traffictypediagnostic: MN2PR01MB5709: X-Auto-Response-Suppress: DR, OOF, AutoReply X-MS-Exchange-Atpmessageproperties: SA X-MS-Exchange-Crosstenant-Originalarrivaltime: 26 Mar 2021 16:41:07.6609 (UTC) Sender: krb5-bugs-incoming-bounces@PCH.mit.edu X-MS-Exchange-Transport-Crosstenantheadersstamped: MN2PR01MB5709 X-Eopattributedmessage: 0 X-Microsoft-Antispam-PRVS: Arc-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none X-DH-Backend: pdx1-sub0-mail-a30 X-Sender-ID: dreamhost|x-authsender|nico@cryptonector.com X-Sender-ID: dreamhost|x-authsender|nico@cryptonector.com X-RT-Original-Encoding: ascii X-RT-Interface: Email Content-Length: 989 In a world where there are online CAs issuing client certificates it is important to not allow the endtime of a ticket acquired with PKINIT to extend past the notAfter of the client's certificate. Otherwise there is the risk that a user can cycle a forever credential by using Kerberos to acquire a client certificate and then the client certificate to acquire a TGT, repeatedly getting a 10 hour (or whatever is configured) extension, and thus avoiding the need to periodically engage in initial [pre-]authentication. This should apply to all pre-authentication methods where the method involves expiring credentials, and indeed, it already applies to PA-TGS for example. Not applying the client certificate's notAfter to the issued ticket's endtime is only a serious bug in environments that also operate online CAs that issue client certificates good for PKINIT to clients authenticated with Kerberos. In the context of as-originally-intended deployment, this is not a serious bug.