Re: KITTEN: IETF 75 - 76
Nicolas Williams <Nicolas.Williams@sun.com> Mon, 17 August 2009 23:25 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ABAB23A6A7C for <kitten@core3.amsl.com>; Mon, 17 Aug 2009 16:25:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.899
X-Spam-Level:
X-Spam-Status: No, score=-5.899 tagged_above=-999 required=5 tests=[AWL=0.147, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qg19IsRU9OmT for <kitten@core3.amsl.com>; Mon, 17 Aug 2009 16:25:08 -0700 (PDT)
Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [192.18.98.36]) by core3.amsl.com (Postfix) with ESMTP id AB4C13A67F2 for <kitten@ietf.org>; Mon, 17 Aug 2009 16:25:07 -0700 (PDT)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n7HNPCUd001197 for <kitten@ietf.org>; Mon, 17 Aug 2009 23:25:12 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n7HNPCJx047661 for <kitten@ietf.org>; Mon, 17 Aug 2009 17:25:12 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n7HNEUd2003267; Mon, 17 Aug 2009 18:14:30 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n7HNEUT6003266; Mon, 17 Aug 2009 18:14:30 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Mon, 17 Aug 2009 18:14:30 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Martin Rex <Martin.Rex@sap.com>
Subject: Re: KITTEN: IETF 75 - 76
Message-ID: <20090817231429.GG1043@Sun.COM>
References: <200908180013.29152.leifj@mnt.se> <200908172302.n7HN27Nx008325@fs4113.wdf.sap.corp>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <200908172302.n7HN27Nx008325@fs4113.wdf.sap.corp>
User-Agent: Mutt/1.5.7i
Cc: kitten@ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2009 23:25:09 -0000
On Tue, Aug 18, 2009 at 01:02:07AM +0200, Martin Rex wrote: > Leif Johansson wrote: > > > > That was exporting unfinished contexts actually - slightly different. > > exporting&importing unfinished security contexts will usually > break the gssapi architecture. We've had this argument. > The context establishement calls take a number of arguments > that must be the same for the initial and all iteration calls, > and it is an implementation issue at which point which of these > parameters is accessed. I don't see how this is an issue. The implementation can make sure that the exported partially established sec context encodes these arguments so they can be checked later after importing. > During security context establishment, access to credentials might > be necessary at various stages, and the caller would have to > make sure the parameters during each iteration call are the same > as during the first call. > > Credentials that are stored on a hardware token are often not > transferable, and also may require a serialization of the access. None of that means that we can't have a partially established security context export/import facility that is allowed to fail when non-extractable keys in tokens are involved. (Alternatively, export might succeed and the exported sec context token might just have enough information to either re-establish logged-in access to the token, or call back into a service in the process that "exported" the sec context; import could still fail, obviously.) We can agree that GSS_Export_sec_context() either MUST NOT succeed for partially established security contexts, or that it is OPTIONAL for it to succeed in the case of partially established security contexts. In the former case we can then introduce a new function that does support this feature, with all the above caveats. We should stop having this argument now. > > hmm, is asynchronous calls related to exportable contexts perhaps...? > > What exactly do you mean by asynchronous calls?? > > GSS-API does not include message transport, so all calls are > by definition asynchronous. > > Or were you thinking about the Kerberos 5 gssapi mechanisms communication > with the KDC during gss_init_sec_context() (and possibly during > gss_acquire_cred for some newer implementations)? The latter. And no, gss_acquire_cred() cannot do this (because what matters, in the krb5 case, is the target name passed to gss_init_sec_context()). And it's not just about Kerberos. PKIX-based mechanisms, such as PKU2U (or SPKM-*) may need to talk to third-parties in either the initiator, acceptor, or both cases (e.g., to validate certificates). In both cases (Kerberos and PKIX) we have not only message exchanges with KDCs, OCSP Responders, and/or CRL servers, but also potentially DNS lookups (of KDC/OCSP/CRL server names). All of these are potentially very slow, particularly in failure cases (network partitions, ...). Single-threaded, async I/O style programs that would normally remain responsive have to block in these functions, or else they must create background threads in which to do the gss_init/accept_sec_context() calls (in which case they'd be... creating async versions of gss_init/accept_sec_context(), which proves the point that they are doable). Nico --
- KITTEN: IETF 75 - 76 Shawn M Emery
- Re: KITTEN: IETF 75 - 76 Alexey Melnikov
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Love Hörnquist Åstrand
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Leif Johansson
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Martin Rex
- Re: KITTEN: IETF 75 - 76 Martin Rex
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Love Hörnquist Åstrand
- Re: KITTEN: IETF 75 - 76 Love Hörnquist Åstrand
- Re: KITTEN: IETF 75 - 76 Love Hörnquist Åstrand
- Re: KITTEN: IETF 75 - 76 Love Hörnquist Åstrand
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Martin Rex
- Re: KITTEN: IETF 75 - 76 Martin Rex
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Martin Rex
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Martin Rex
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Martin Rex
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Michael B Allen
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Shawn M Emery
- Re: KITTEN: IETF 75 - 76 Love Hörnquist Åstrand
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Love Hörnquist Åstrand
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Michael B Allen
- Re: KITTEN: IETF 75 - 76 Love Hörnquist Åstrand
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Love Hörnquist Åstrand
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Michael B Allen
- Re: KITTEN: IETF 75 - 76 Love Hörnquist Åstrand
- Re: KITTEN: IETF 75 - 76 Stefan (metze) Metzmacher
- Re: KITTEN: IETF 75 - 76 Michael B Allen
- Re: KITTEN: IETF 75 - 76 Love Hörnquist Åstrand
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Michael B Allen
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Michael B Allen
- Re: KITTEN: IETF 75 - 76 Jeffrey Hutzelman
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Jeffrey Hutzelman
- Re: KITTEN: IETF 75 - 76 Michael B Allen
- Re: KITTEN: IETF 75 - 76 Nicolas Williams
- Re: KITTEN: IETF 75 - 76 Jeffrey Hutzelman
- Re: KITTEN: IETF 75 - 76 Volker Lendecke
- Re: KITTEN: IETF 75 - 76 Volker Lendecke