IETF Logo Mail Archive

Re: Comments on draft-ietf-kitten-krb5-gssapi-prf-03.txt

Martin Rex <martin.rex@sap.com> Mon, 23 May 2005 22:44 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DaLeY-0001Y8-0N; Mon, 23 May 2005 18:44:06 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DaLeW-0001Y2-SI for kitten@megatron.ietf.org; Mon, 23 May 2005 18:44:04 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA07718 for <kitten@ietf.org>; Mon, 23 May 2005 18:44:02 -0400 (EDT)
Received: from smtpde02.sap-ag.de ([155.56.68.170]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DaLwZ-0007B1-NF for kitten@ietf.org; Mon, 23 May 2005 19:02:45 -0400
Received: from sap-ag.de (smtpde02) by smtpde02.sap-ag.de (out) with ESMTP id AAA22709; Tue, 24 May 2005 00:43:38 +0200 (MESZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200505232243.AAA00980@uw1048.wdf.sap.corp>
To: Nicolas.Williams@sun.com
Date: Tue, 24 May 2005 00:43:37 +0200
In-Reply-To: <20050523222438.GC27936@binky.Central.Sun.COM> from "Nicolas Williams" at May 23, 5 05:24:38 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 39bd8f8cbb76cae18b7e23f7cf6b2b9f
Content-Transfer-Encoding: 8bit
Cc: kitten@ietf.org, raeburn@MIT.EDU
Subject: Re: Comments on draft-ietf-kitten-krb5-gssapi-prf-03.txt
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Sender: kitten-bounces@lists.ietf.org
Errors-To: kitten-bounces@lists.ietf.org

As with a similar discussion on krb-ietf list how a KDC cert should
be verified in PKINIT, we should not ignore the fact that the affected
spec (here) is going to be normative for both, the gssapi mechanism
implementor and the application gssapi caller, and those two
will have an entirely different background and needs.

So I would suggest to actually quantify
 (a) what the mechanism implementor must provide as a minimum
     to be at all useful
 (b) what the application caller can rely on to be safely available.

I think that a number in the range of 1000-2000 should be good.

I would indicate to the gssapi implementor that a secure PRF is
necessary, and it would indicate to the application caller
that this function is not designed to produce a Stream-cipher like
pseudo random pad which it can (ab)use to XOR large piles
of application data.


We should add a reference to the document draft-eastlake-randomness2-10.txt
that is sitting on the Editor's queue:

  Date: Mon, 07 Feb 2005 17:31:14 -0500
  Subject: Protocol Action: 'Randomness Requirements for Security' to BCP
  Sender: ietf-announce-bounces@ietf.org

  The IESG has approved the following document:

  - 'Randomness Requirements for Security '
     <draft-eastlake-randomness2-10.txt> as a BCP

This document contains lots of useful information about cryptographic
randomness.


-Martin

_______________________________________________
Kitten mailing list
Kitten@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email