IETF Logo Mail Archive

Re: [kitten] GSS-only enctypes

Benjamin Kaduk <kaduk@MIT.EDU> Wed, 01 April 2015 23:04 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8828B1AC43B for <kitten@ietfa.amsl.com>; Wed, 1 Apr 2015 16:04:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6WV83lEJZtN for <kitten@ietfa.amsl.com>; Wed, 1 Apr 2015 16:04:35 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE0161AC43A for <kitten@ietf.org>; Wed, 1 Apr 2015 16:04:34 -0700 (PDT)
X-AuditID: 1209190f-f79d16d000000d3d-57-551c7981e16b
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 30.7A.03389.1897C155; Wed, 1 Apr 2015 19:04:33 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t31N4WrE029130; Wed, 1 Apr 2015 19:04:33 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t31N4VkL024117 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 1 Apr 2015 19:04:32 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t31N4Ulm021513; Wed, 1 Apr 2015 19:04:30 -0400 (EDT)
Date: Wed, 01 Apr 2015 19:04:30 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Nico Williams <nico@cryptonector.com>
In-Reply-To: <CAK3OfOgogdvyqUzKsLmbTB8B8x+RUQ9-Simknbd687d_-HCuPQ@mail.gmail.com>
Message-ID: <alpine.GSO.1.10.1504011903080.22210@multics.mit.edu>
References: <CAK3OfOj+Pe8kdAqfXR5EJgw38ekHSUwYv7NBEAZU3FpScbH3cw@mail.gmail.com> <alpine.GSO.1.10.1504011603320.22210@multics.mit.edu> <551C5C53.10901@mit.edu> <CAK3OfOgPg1xs7yg=Mh5+qb2L5j2ZDZVwr1D+NXs5QOzpnHA3Hw@mail.gmail.com> <ldvk2xvpl2q.fsf@sarnath.mit.edu> <CAK3OfOgogdvyqUzKsLmbTB8B8x+RUQ9-Simknbd687d_-HCuPQ@mail.gmail.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrFIsWRmVeSWpSXmKPExsUixG6nrttYKRNq0PFd0+Lo5lUsFqeuHWFz YPJ4eeoco8eSJT+ZApiiuGxSUnMyy1KL9O0SuDLOLZ/OUvCateLG5TWsDYz3WLoYOTkkBEwk tm4/xw5hi0lcuLeerYuRi0NIYDGTxPIdq5khnA2MEn9ftbBDOAeZJHqn/2cEaRESqJfomHeJ FcRmEdCSuHbjApjNJqAiMfPNRjYQW0RAU+L6vKVgNrOAusS3M2/AeoWB7Dm/poGdwSkQKPG+ dxETiM0r4CixpKUdavNZJonZ936CJUQFdCRW75/CAlEkKHFy5hMWiKFaEsunb2OZwCg4C0lq FpLUAkamVYyyKblVurmJmTnFqcm6xcmJeXmpRbomermZJXqpKaWbGEHByinJv4Px20GlQ4wC HIxKPLwNUdKhQqyJZcWVuYcYJTmYlER5RSpkQoX4kvJTKjMSizPii0pzUosPMUpwMCuJ8GoW AeV4UxIrq1KL8mFS0hwsSuK8m37whQgJpCeWpGanphakFsFkZTg4lCR4i0CGChalpqdWpGXm lCCkmTg4QYbzAA3fClLDW1yQmFucmQ6RP8Woy3Fnyv9FTEIsefl5qVLivCUgRQIgRRmleXBz YEnmFaM40FvCvNtAqniACQpu0iugJUxASxzmSYMsKUlESEk1MLKs/xa79NOp+btvagvOZK1j WZnFZ5SpdyHIvyhEqtJ/5sMs70dC876JnH89U2fel8DfCVopfU4PC6ZEL10gUqJzZx7rSZej vVN6Pf6waiemHGwIbFz76J4Lx5ZdzicPSSYmePy/HrJincefikWR9yO77P4fclUO625PvrX6 u1YHc/Cj4zuub1ViKc5INNRiLipOBADxGJBPDQMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/cYRvJKvjhQhw9pqrLAXNgwvBy0M>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] GSS-only enctypes
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2015 23:04:36 -0000

On Wed, 1 Apr 2015, Nico Williams wrote:

> I'd rather say that AEAD enctypes are just NOT RFC3961 enctypes, and
> they cannot be used in any RFC3961 interfaces.  But that approach does
> increase the friction between a Kerberos GSS mechanism implementation
> and the libkrb5 underneath (e.g., a krb5_authcontext wouldn't be able
> to have GSS-only sub-keys, and extracting them from the Authenticator
> and AP-REP might require new internal interfaces).
>
> We might have to settle for simply not permitting use of AEAD in
> non-GSS contexts.

It's always nice to have these decisions guided by implementation
experience, if someone (TM) tries out the different approaches and can
attest to their strengths and weaknesses.

-Ben

v2.23.0 | Report a Bug | By Email