Re: GSS-API and SSL - their coexistence, and related issues
Matt Hur <matt.hur@cybersafe.com> Thu, 13 March 1997 03:01 UTC
Received: from cnri by ietf.org id aa28165; 12 Mar 97 22:01 EST
Received: from pad-thai.cam.ov.com by CNRI.Reston.VA.US id aa27197; 12 Mar 97 22:01 EST
Received: by pad-thai.cam.ov.com (8.8.5/) id <XAA16347@pad-thai.cam.ov.com>; Wed, 12 Mar 1997 23:42:59 GMT
Message-Id: <3.0.32.19970312154438.00946c20@pop-srvr.cybersafe.com>
X-Sender: matth@pop-srvr.cybersafe.com
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Wed, 12 Mar 1997 15:44:40 -0800
To: bjb@trsvr.tr.unisys.com, cat-ietf@mit.edu, CryptoAPI@listserv.msn.com, ssl-talk@netscape.com
From: Matt Hur <matt.hur@cybersafe.com>
Subject: Re: GSS-API and SSL - their coexistence, and related issues
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk
At 04:33 PM 3/12/97 -0500, Bill Buffam wrote: 8< >8 >(c) We can apparently embrace Kerberos migration within the SSL >mechanism, as defined in >ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-kerb-cipher-suites-00.txt >This implies that SSL (or TLS or whatever it becomes) becomes the >unifying framework within which all future session-oriented security >mechanisms will live. It appears to set the stage for GSS-API and >SSL/TLS to compete for the role of unifying orchestrator of >session-oriented security. The very existence of this draft seems to me >to be a tacit admission that current SSL techniques are more >developer-friendly than GSS-API. Perhaps the authors could comment. > The Kerberos cipher suite draft does not imply a preference of SSL over GSS-API. It simply acknowledges a general acceptance of SSL. We view support for Kerberos cipher suites in SSL as simply a mechanism to provide more coverage and interoperability for users who are registered with Kerberos realms. This is especially apparent within the enterprise environment. SSL (or TLS) is currently a dominant public key based protocol. Since it is so easy to add a Kerberos authentication method, it seemed like a "no-brainer" to add support for Kerberos cipher suites (in that you can get a big payoff in interoperability - it took about a week and a half to do our reference implementation). We are trying to be pragmatic about interoperability (espcially since our company's primary customers are large enterprises). If an organization has a Kerberos infrastructure in place, then they should be able to use Kerberos for authentication to services that are secured via protocols that have typically utilized public key cryptography for authentication. Whether this solution leads to a migration to a public key infrastructure or not is orthogonal to the issue of interoperability. Likewise, if an organization has a public key infrastructure in place, then they should be able to use public key credentials to authenticate to Kerberized services (this is accomplished with PKINIT, another Internet draft with which we have been intimately involved). Again, whether or not this is a migratory solution is orthogonal to the issue of interoperability. We would like to see support for Kerberos cipher suites in SSL/TLS. We think that this is a pragmatic approach to interoperability in large scale, real world deployments. We talked with the folks over at Netscape about supporting Kerberos cipher suites in their SSL implementation. If you are developing SSL/TLS implementations, we would like to hear from you, and we would be interested in providing support for this endeavor. We haven't talked with the folks at Microsoft yet, but we would appreciate thier input, since they are developing both Kerberos and SSL/TLS-based solutions as part of their security infrastructure. You can download a simple reference implementation from ftp://nii.isi.edu/pub/ssl-krb. Regards, Matt Hur 8< >8 >-- > >Bill Buffam >Unisys, Malvern PA >bjb@trsvr.tr.unisys.com > > ---------------------------------------------------------------- Matt Hur CyberSafe matt.hur@cybersafe.com 1605 NW Sammamish Road, Suite 310 (206) 391-6000 Issaquah, WA 98027-5378 http://www.cybersafe.com
- Re: GSS-API and SSL - their coexistence, and rela… Bill Buffam
- Re: GSS-API and SSL - their coexistence, and rela… Rich Salz
- Re: GSS-API and SSL - their coexistence, and rela… Theodore Y. Ts'o
- [Fwd: Re: GSS-API and SSL - their coexistence, an… John Jones
- Re: GSS-API and SSL - their coexistence, and rela… Bill Buffam
- Re: GSS-API and SSL - their coexistence, and rela… Theodore Y. Ts'o
- Re: GSS-API and SSL - their coexistence, and rela… Marc Horowitz
- Re: GSS-API and SSL - their coexistence, and rela… Rich Salz
- Re: GSS-API and SSL - their coexistence, and rela… Marc Horowitz
- Re: GSS-API and SSL - their coexistence, and rela… Bill Buffam
- RE: GSS-API and SSL - their coexistence, and rela… Michel Ranger
- Re: GSS-API and SSL - their coexistence, and rela… Bill Buffam
- Re: GSS-API and SSL - their coexistence, and rela… Matt Hur
- Re: [Fwd: Re: GSS-API and SSL - their coexistence… Todd S. Glassey
- Re: GSS-API and SSL - their coexistence, and rela… Martin Rex
- Re: GSS-API and SSL - their coexistence, and rela… John Nunneley
- GSS-API and SSL - their coexistence, and related … Bill Buffam
- Re: GSS-API and SSL - their coexistence, and rela… David P. Kemp