IETF Logo Mail Archive

Re: Comments on draft-ietf-kitten-krb5-gssapi-prf-03.txt

Martin Rex <martin.rex@sap.com> Mon, 23 May 2005 23:55 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DaMlL-0002nh-6e; Mon, 23 May 2005 19:55:11 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DaMlI-0002nO-TV for kitten@megatron.ietf.org; Mon, 23 May 2005 19:55:08 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA15432 for <kitten@ietf.org>; Mon, 23 May 2005 19:55:05 -0400 (EDT)
Received: from smtpde02.sap-ag.de ([155.56.68.170]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DaN3M-0002RN-FG for kitten@ietf.org; Mon, 23 May 2005 20:13:49 -0400
Received: from sap-ag.de (smtpde02) by smtpde02.sap-ag.de (out) with ESMTP id BAA25917; Tue, 24 May 2005 01:54:57 +0200 (MESZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200505232354.BAA02708@uw1048.wdf.sap.corp>
To: Nicolas.Williams@sun.com
Date: Tue, 24 May 2005 01:54:57 +0200
In-Reply-To: <20050523230311.GE27936@binky.Central.Sun.COM> from "Nicolas Williams" at May 23, 5 06:03:12 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2
Content-Transfer-Encoding: 8bit
Cc: kitten@ietf.org
Subject: Re: Comments on draft-ietf-kitten-krb5-gssapi-prf-03.txt
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Sender: kitten-bounces@lists.ietf.org
Errors-To: kitten-bounces@lists.ietf.org

Nicolas Williams wrote:
> 
> On Tue, May 24, 2005 at 12:43:37AM +0200, Martin Rex wrote:
> > As with a similar discussion on krb-ietf list how a KDC cert should
> > be verified in PKINIT, we should not ignore the fact that the affected
> > spec (here) is going to be normative for both, the gssapi mechanism
> > implementor and the application gssapi caller, and those two
> > will have an entirely different background and needs.
> > 
> > We should add a reference to the document draft-eastlake-randomness2-10.txt
> > that is sitting on the Editor's queue:
> 
> With respect to what?  The input to the PRF?

You got me, I'm not following my own advice.

This reference should be guidance for gssapi mechanism implementors
that provide PRF output based on the cryptographic session key.

It may not be necessary for gssapi mechanisms where the implementation
details are public or even part of a public/published spec.
But you should not underestimate the number of gssapi mechanisms
that don't have a formal spec of any kind, there are plenty of
them.

GSS-API is primarily a spec for an API and only secondarily a
framework for independent interoperable mechanism implementations
based on common public spec.  And in order to provide a useful
standard for the application writers, the spec will have to provide
some guidance on behaviour for proprietary gssapi mechanisms and
a level of expectation for the application writers.

-Martin

_______________________________________________
Kitten mailing list
Kitten@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email