IETF Logo Mail Archive

Re: KITTEN: IETF 75 - 76

Martin Rex <Martin.Rex@sap.com> Wed, 19 August 2009 19:59 UTC

Return-Path: <Martin.Rex@sap.com>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C63DC3A6F53 for <kitten@core3.amsl.com>; Wed, 19 Aug 2009 12:59:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.739
X-Spam-Level:
X-Spam-Status: No, score=-5.739 tagged_above=-999 required=5 tests=[AWL=0.510, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UC2tQHRNDqMj for <kitten@core3.amsl.com>; Wed, 19 Aug 2009 12:59:32 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 891DF3A6E57 for <kitten@ietf.org>; Wed, 19 Aug 2009 12:58:56 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id n7JJwxNC005036 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Aug 2009 21:58:59 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200908191958.n7JJwwn0029779@fs4113.wdf.sap.corp>
Subject: Re: KITTEN: IETF 75 - 76
To: Nicolas.Williams@sun.com
Date: Wed, 19 Aug 2009 21:58:58 +0200
In-Reply-To: <20090819164010.GE1043@Sun.COM> from "Nicolas Williams" at Aug 19, 9 11:40:11 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: kitten@ietf.org, Shawn.Emery@sun.com
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2009 19:59:32 -0000

Nicolas Williams wrote:
> 
> > I'm not worried about rekeying, if you want to tackle that we are  
> > redoing the whole gss-api model.
> 
> Not really.  The SSPI does it, and the SSPI is very similar to the
> GSS-API.  Re-keying would be an incremental change, not a fundamental
> one (but it would require updates to app protocols in order for them to
> be able to use it).  For SASL re-keying would be much more intrusive .
> No, I don't care about re-keying.

Re-keying will require re-design of the API.

I'm not aware about rekeying being available in SSPI.

It must be availabe in some way for schannel, because IIS is
able to perform renegotiation in order to request a client cert
after having looked at the URL -- but I do not think it exists
for NTLM or Kerberos 5 SSPs.  If I'm wrong, do you have an URL
to the Microsoft documentation describing how it works?


In traditional GSS-API it is not possible to modify a security
context once it has been established.  And a communication might
go entirely unidirectional after security context establishment
for the rest of its lifetime (e.g. the data channel of an FTP
with GSS-API extensions).


-Martin

v2.23.0 | Report a Bug | By Email