IETF Logo Mail Archive

Re: [kitten] Clarification of gss_add_cred() behavior

Benjamin Kaduk <kaduk@MIT.EDU> Thu, 19 March 2015 19:50 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81E591A8EA9 for <kitten@ietfa.amsl.com>; Thu, 19 Mar 2015 12:50:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0iLrCgHoR7WI for <kitten@ietfa.amsl.com>; Thu, 19 Mar 2015 12:50:27 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54BC21A8824 for <kitten@ietf.org>; Thu, 19 Mar 2015 12:50:25 -0700 (PDT)
X-AuditID: 12074423-f79536d000000e74-c3-550b28804d48
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id B9.87.03700.0882B055; Thu, 19 Mar 2015 15:50:24 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t2JJoO6Q028567 for <kitten@ietf.org>; Thu, 19 Mar 2015 15:50:24 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2JJoMaR016377 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <kitten@ietf.org>; Thu, 19 Mar 2015 15:50:23 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t2JJoMCQ021033; Thu, 19 Mar 2015 15:50:22 -0400 (EDT)
Date: Thu, 19 Mar 2015 15:50:22 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: kitten@ietf.org
In-Reply-To: <20150319194002.GG4309@mournblade.imrryr.org>
Message-ID: <alpine.GSO.1.10.1503191541510.3953@multics.mit.edu>
References: <20150319025202.GB8099@localhost> <alpine.GSO.1.10.1503191446260.3953@multics.mit.edu> <20150319194002.GG4309@mournblade.imrryr.org>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOIsWRmVeSWpSXmKPExsUixG6notugwR1qsG2SvsXRzatYHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVsWrbe6aCq5IVB4/nNTB+FO5i5OSQEDCRuLy6gwXCFpO4cG89 WxcjF4eQwGImiSV/OlghnOOMEj+OXGeBcG4wSaxau4wZwmlglLjz5CkrSD+LgLbEr95jzCA2 m4CKxMw3G9lAbBEBYYndW98BxTk4hAXsJLZNdQIJcwpYSax+tQSshFfAQeLPlDmMEDMnMEoc PzGDESQhKqAjsXr/FBaIIkGJkzOfgNnMAloSy6dvY5nAKDALSWoWktQCRqZVjLIpuVW6uYmZ OcWpybrFyYl5ealFumZ6uZkleqkppZsYweHnoryD8c9BpUOMAhyMSjy8AcLcoUKsiWXFlbmH GCU5mJREecNlgEJ8SfkplRmJxRnxRaU5qcWHGCU4mJVEeO+JAeV4UxIrq1KL8mFS0hwsSuK8 m37whQgJpCeWpGanphakFsFkZTg4lCR4DdSBGgWLUtNTK9Iyc0oQ0kwcnCDDeYCG/1cDGV5c kJhbnJkOkT/FqCglznsXJCEAksgozYPrhaWHV4ziQK8I8/qArOABpha47ldAg5mABv+r5QIZ XJKIkJJqYNTe6iGz2+hVRXjoP6+e3VnLo+ztwys+nvoR7dv0OmEzx/vz507x3T5l01UzKeBD lMN0e+0bl/5v2n7jf7Tr03c36iZ2n1IzKfK43nHRgIXhFccegZ27Oa5fWlGm4zVrqUTCsuXV E07vfd/h9qaxe+Llp0/Wvw7rmV6497Lz+eR3//evexg6XbhXiaU4I9FQi7moOBEAXrnWkuoC AAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/DM9By0GVUg66K-lMDyT7Y0vANXY>
Subject: Re: [kitten] Clarification of gss_add_cred() behavior
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2015 19:50:31 -0000

On Thu, 19 Mar 2015, Viktor Dukhovni wrote:

> On Thu, Mar 19, 2015 at 02:48:44PM -0400, Benjamin Kaduk wrote:
>
> > > I think this must have been a drafting error.  It's obvious to me, but
> > > maybe someone has a very different opinion as to this (Martin?).
> >
> > But a GSS credential can only represent a single identity ("entity", see
> > 1.1.1.1)!  Identities are represented by (non-mechanism) names, so it is
> > not clear to me that this is a drafting error.  If you know what name you
> > want credentials for, you should use it.
>
> The situation as I understand it is as follows.
>
>     1. gss_add_cred() is intended to build a credential handle
>        *incrementally*, adding credentials one mechanism at a time.
>        Either for a default name, or for an explicit name that
>        agrees with any previous credentials in the input handle.

Well, I am not sure that it makes sense to try to do this for the default
name (but see below).

>     2. For this interface to be useful, the initial state one must
>        be able to start with an empty credential handle and build up
>        from there.  This presumably is specified via a NULL input
>        credential, and still the same name for which one wants
>        creds.

There is GSS_Acquire_cred to obtain the first credential element.

>     3. So how are the desired "name" and "mech" used when going
>        from no creds (NULL input handle) to a handle with a first
>        credential element?

A GSS_C_NO_CREDENTIAL input handle is not a representation of no creds,
but rather a request to start from the default credentials.  The default
credentials must have some name associated with them, but we don't
(necessarily?) know what that name is.  My reading is that the only
reliable way to request the name associated with the default credentials
is to pass GSS_C_NO_NAME and not try to explicitly name the default
identity.  Now, maybe implementing this by completely ignoring the
supplied desired_name is not very friendly, but it makes some amount of
sense to me.

>     4.  The text says that a default credential handle is implicitly
> 	constructed with GSS_C_NO_NAME, and we add to that!  But what
> 	if the acquired default credential has a conflicting name, and
> 	potentially already has elements for the same or other mechanisms?

I think that the attempt to add the new credential must fail.

In general, if one is going to be doing anything with the default
credentials, one has to only use the default credentials.  If there are
other credentials in play, only the specific (known) credentials should be
used, to the exclusion of the default credentials.

> 	What is that text really trying to say, and why?

I guess my reading has the issue that if my reading is correct, why would
they have mentioned the GSS_C_NO_CREDENTIAL case at all for GSS_Add_cred.



Nico says:
> The problem is the spec effectivel says that when input_cred_handle ==
> GSS_C_NO_CREDENTIAL then desired_name is ignored.  This seems like a
> mistake.

My reply is that GSS_C_NO_CREDENTIAL means the default credentials which
in turn means the default name.  There's no use for an explcit name when
the default name is being used.

-Ben

v2.23.0 | Report a Bug | By Email