[OpenAFS] Re: "public" pkinit service without database-overflow risk?

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 04 Jan 2006 20:29:18 -0500

On Wednesday, January 04, 2006 05:04:33 PM -0800 Adam Megacz 
<megacz@cs.berkeley.edu> wrote:

>> Note that KDC's are already stateless.  Every KDC implementation I
>> know of logs the requests it handles for debugging and auditing
>> purposes, but none actually maintain any "state" other than a
>> short-term replay cache.
> Hrm, I don't think I've been clear here -- in current KDC's, the
> "state" I speak of is the list of principals and their associated
> secret keys, which may be either static or created on the fly.

That's data, not state.  As I said, KDC's are nearly stateless.  They don't 
record things about tickets they've issued, or principals to which they've 
issued tickets, or any such thing.  They do maintain a short-term replay 

> Right.  I guess the question I'm asking is can this be made robust
> enough that the KDC can issue tickets for certs certified by a CA who
> might decide to try to overload the KDC by issuing a bajillion "spam
> certificates" and ask for a principal to be allocated for each one of
> them, thereby filling up the KDC's disk if it needs to keep an on-disk
> record of all principals for whom it has issued tickets.

Well, you already have potential problems with filling the replay cache or 
auditing log with too large a volume of requests.  There are a variety of 
possible ways to deal with these problems, but none of the problems get 
worse due to the use of PKINIT, whether with pre-registered principals or 
not.  What matters is the volume of requests, not the number of distinct 
principals for which you might issue tickets.

That said, no KDC in its right mind would issue tickets based on 
certificates signed by a CA it didn't trust.  That would be stupid.

> The other (totally separate) use case I'm thinking of is one
> "authorization with only trivial authentication" where you "are" your
> public key.  So the KDC issues a ticket saying nothing more than "this
> person has been confirmed to posess the private key corresponding to
> public key XYZ" (where XYZ actually literally appears in the principal
> in some form).  In this case the disk-overload problem is much more
> real and serious.

Actually, it's no different.  Any disk-filling sort of problems still scale 
with the volume and rate of requests, not the number of possible principal 
names.  And I daresay my KDC can process requests more efficiently than you 
can generate new public key pairs.

In any event, I don't see this as a common deployment scenario for 
Kerberos.  I doubt many realm administrators will want to issue tickets to 
any random bozo who comes up to them.  I doubt many applications will care 
to support an authorization model in which Kerberos principals are 
identified to them by public keys rather than by principal names.  Most of 
those that do already support some form of public-key-based authentication 
at the application layer, and would gain little from using Kerberos for 
that.  AFS isn't there yet, but could be within a year, if someone cared 
enough to design and implement a suitable GSSAPI mechanism.  Getting it 
"right" might take a bit longer, depending on how long the GSSAPI identity 
work currently going on in KITTEN takes.

-- Jeff