IETF Logo Mail Archive

Re: [kitten] CredUI

Greg Hudson <ghudson@MIT.EDU> Sat, 01 February 2014 19:58 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C09B1A05E9 for <kitten@ietfa.amsl.com>; Sat, 1 Feb 2014 11:58:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.136
X-Spam-Level:
X-Spam-Status: No, score=-3.136 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GbSwXwKKoXkt for <kitten@ietfa.amsl.com>; Sat, 1 Feb 2014 11:58:34 -0800 (PST)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) by ietfa.amsl.com (Postfix) with ESMTP id D7EAA1A0604 for <kitten@ietf.org>; Sat, 1 Feb 2014 11:58:33 -0800 (PST)
X-AuditID: 1209190e-f79ee6d000000c40-d6-52ed51e564e7
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 55.90.03136.5E15DE25; Sat, 1 Feb 2014 14:58:29 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id s11JwRGn031506; Sat, 1 Feb 2014 14:58:28 -0500
Received: from [18.101.8.250] (vpn-18-101-8-250.mit.edu [18.101.8.250]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s11JwN6j030998 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 1 Feb 2014 14:58:26 -0500
Message-ID: <52ED51DF.9030702@mit.edu>
Date: Sat, 01 Feb 2014 14:58:23 -0500
From: Greg Hudson <ghudson@MIT.EDU>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>, Luke Howard <lukeh@padl.com>
References: <22979F1F-33E3-4073-88EF-A491965B01B7@padl.com> <CAK3OfOj1rxPeivS-oeoLvSvPQyyjnPQEB6-wS38F4uL+m31-uQ@mail.gmail.com>
In-Reply-To: <CAK3OfOj1rxPeivS-oeoLvSvPQyyjnPQEB6-wS38F4uL+m31-uQ@mail.gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprJKsWRmVeSWpSXmKPExsUixG6nrvs08G2Qwb1TMhZHN69isZi2dR+7 xd1L/9ktTl07wubA4vHy1DlGj2OfrzB6LFnyk8lj7odpLAEsUVw2Kak5mWWpRfp2CVwZD67P Zil4z1Zx5YZbA+Mj1i5GTg4JAROJqRNfMUPYYhIX7q1n62Lk4hASmM0kcbx/DyuEs4FRYuG6 eUwQzmEmiYn3HjKCtPAKqEksnf4TbBSLgKrEtQtn2EBsNgFliYNnv7GA2KICYRJ3/6+FqheU ODnzCVhcRMBdYtOZCWD1zAL1Eov+NYDVCAvISBw6sBRqcwOjxKtt98EWcAoESlzv+8QOcauk xLZFx9ghmnUk3vU9YIaw5SW2v53DPIFRaBaSfbOQlM1CUraAkXkVo2xKbpVubmJmTnFqsm5x cmJeXmqRrrFebmaJXmpK6SZGUAxwSvLtYPx6UOkQowAHoxIP7wTft0FCrIllxZW5hxglOZiU RHn7QEJ8SfkplRmJxRnxRaU5qcWHGCU4mJVEeP3UgXK8KYmVValF+TApaQ4WJXHexBlvgoQE 0hNLUrNTUwtSi2CyMhwcShK8SsBYFxIsSk1PrUjLzClBSDNxcIIM5wEaLgRSw1tckJhbnJkO kT/FqCglzrs5ACghAJLIKM2D64WlqFeM4kCvCPP+BqniAaY3uO5XQIOZgAb3HHgNMrgkESEl 1cCoMl3ydPjZ9S/6f/MwxEdO27fG6Gpk7/9tc/58kvqzXGpXgexcmbdJW6IelL1XmZhsujn1 I+vb/MNnTx7VE6haclKqilcxjHf2Gz7bu+wv/3S6X2XlLmtMvvo76MzVi9+tgiK+KzVVd2b4 slT/Forn4OhSfhe3lPdg5NSP2vlaknMDJv7sXcOsxFKckWioxVxUnAgAO3gqJCwDAAA=
Cc: "kitten@ietf.org" <kitten@ietf.org>, Love Hörnquis t Åstrand <lha@h5l.org>
Subject: Re: [kitten] CredUI
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Feb 2014 19:58:35 -0000

On 02/01/2014 01:36 PM, Nico Williams wrote:
> On Fri, Jan 31, 2014 at 8:06 PM, Luke Howard <lukeh@padl.com> wrote:
>> * an API/SPI to acquire a credential given an arbitrary dictionary (currently we implemented this using gss_set_cred_option(), as that can output a credential, but a new entry point would be cleaner)
> 
> You want gss_acquire_cred_from().
> 
> http://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions

I believe the consensus at the time was that gss_key_value_set_desc
could be used for answers to authentication questions, but the
cred_store parameter to gss_acquire_cred_from cannot.  See:

http://mailman.mit.edu/pipermail/krbdev/2012-July/011105.html

IIRC Nico or Sam had some ideas on what an initial cred acquisition API
might look like (given that it's not just gss_acquire_cred_from), but I
can't seem to find a writeup.

v2.29.0 | Report a Bug | By Email | System Status