Re: [kitten] New Version Notification for draft-kaduk-kitten-gss-loop-01.txt (fwd)
Nico Williams <nico@cryptonector.com> Thu, 21 November 2013 18:31 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5252A1AE248 for <kitten@ietfa.amsl.com>; Thu, 21 Nov 2013 10:31:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jt8Sy7cSJtCY for <kitten@ietfa.amsl.com>; Thu, 21 Nov 2013 10:31:09 -0800 (PST)
Received: from homiemail-a27.g.dreamhost.com (caiajhbdcaid.dreamhost.com [208.97.132.83]) by ietfa.amsl.com (Postfix) with ESMTP id 1F3CF1AE23F for <kitten@ietf.org>; Thu, 21 Nov 2013 10:31:09 -0800 (PST)
Received: from homiemail-a27.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a27.g.dreamhost.com (Postfix) with ESMTP id 60B82598081 for <kitten@ietf.org>; Thu, 21 Nov 2013 10:30:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=7YKK3ITLPa+Zr/klhXsU oPoLDRs=; b=VX3FKT6tXvDt4cSOfI58oaObFgGsGdQVUCcZMh3x+aBWJY7gIIoz +LWdbKndt6rz6qDyWzhRl0BCgk3jvEtenU6hPkRnq+746MZFk+0wjyGWs7my3jf2 AQlQ/+hZ6Y9KqAS+fME6AMPrwhYpXOhiHyEyAi0xNWidpTm2CnDmyDE=
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a27.g.dreamhost.com (Postfix) with ESMTPSA id 352AD59807A for <kitten@ietf.org>; Thu, 21 Nov 2013 10:30:53 -0800 (PST)
Received: by mail-wi0-f177.google.com with SMTP id cc10so110859wib.10 for <kitten@ietf.org>; Thu, 21 Nov 2013 10:30:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tyqeVTsgiWmuUkuMeM20Mf7f789cqZ7QlxHEGsG/Oho=; b=Xigz2tDL+UkIpeLKWLa1lOmGOUWRg33YqwXbF9CxD8/y2W5Opue74yCMaZJuEzTner 9y779sVUK7aYnTjqQUNQ4+t3kUyYry//Bb1CuyD2NnZNovNuP9sTlowtj1f3ID4Hvcio Gq0E0OQOt/c394efBtvQaRzGtn5PacOfvLDS+0e/y9Dr/KxzYQ/MOizfvFrru6G5tnes Td1aGhURV9Ttv1HaI0U8ir/mNIb1q4xY8gk+HiG/R73e7dx2+Yrv4PuxguFvaEuquJzE qQJSuliWCRzWlZws8DejSMsS0QUXIjXMhji3Hoyf9+a7wAkc9YAYCkSxz4Z09dbMETqO dYMQ==
MIME-Version: 1.0
X-Received: by 10.180.198.79 with SMTP id ja15mr6991578wic.36.1385058650606; Thu, 21 Nov 2013 10:30:50 -0800 (PST)
Received: by 10.216.151.136 with HTTP; Thu, 21 Nov 2013 10:30:50 -0800 (PST)
In-Reply-To: <1385050186.6315.15.camel@destiny.pc.cs.cmu.edu>
References: <20131120235129.7E4E71AACA@ld9781.wdf.sap.corp> <alpine.GSO.1.10.1311201921370.23560@multics.mit.edu> <7346_1385010106_rAL51j7j007404_20131121050138.GB3655@localhost> <1385050186.6315.15.camel@destiny.pc.cs.cmu.edu>
Date: Thu, 21 Nov 2013 12:30:50 -0600
Message-ID: <CAK3OfOgPxFzMRAKC48Bz3svPRp85h+mMUNppVTQOSYZ9EEvj1w@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Jeffrey Hutzelman <jhutz@cmu.edu>
Content-Type: text/plain; charset="UTF-8"
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] New Version Notification for draft-kaduk-kitten-gss-loop-01.txt (fwd)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2013 18:31:10 -0000
On Thu, Nov 21, 2013 at 10:09 AM, Jeffrey Hutzelman <jhutz@cmu.edu> wrote: > On Wed, 2013-11-20 at 23:01 -0600, Nico Williams wrote: >> Why would the name of the initiator *as output to the application* vary >> as the security context token exchange progresses? > > Perhaps there's some stackable thing during which the notion of > initiator name is refined as control passes from one mech to another? I addressed that immediately after asking the question :) I believe the correct answer for a mechanism that builds knowledge of the initiator progressively (with each security context token round trip) is to output the name only when that process is complete. As for how to represent all the details learned about the initiator, that's what display syntax and name attributes are for. > That said, since we are writing advice to application implementors here, > and not a mechanism, the question is not the wide range of what > applications _might_ be allowed to do, but rather what we tell them they > _should_ do. Yes, but that requires considering the constraints on the mechglue/provider. In this case they must not output multiple src_names -- that's just not something existing apps are prepared to handle and makes no sense. > For acceptors, things get a bit dicier, because you have acceptors like > RXGK_GSSNegotiate, which get called once per round trip and want to be > completely stateless in between. Fortunately for us, actually achieving The mechglue/provider should either a) not output the src_name (and deleg cred) until complete, or b) once they output either *keep* outputing it until complete. Nothing else is safe w.r.t. existing applications. > that would require the ability to export partially-established contexts, > which is already not well-defined. Therefore, we can advise that > implementations have little choice but to retain some state, and thus > might as well follow the same conservative approach: allocate everything > up front, and don't look at anything other than prot_ready until the > end. No, the mechglue/provider must keep state as described above. Also, src_name can be left NULL -- the application can use gss_inquire_context() instead. So the only real problem here is deleg_cred_handle. Nico --
- [kitten] New Version Notification for draft-kaduk… Benjamin Kaduk
- Re: [kitten] New Version Notification for draft-k… Benjamin Kaduk
- Re: [kitten] New Version Notification for draft-k… Greg Hudson
- Re: [kitten] New Version Notification for draft-k… Martin Rex
- Re: [kitten] New Version Notification for draft-k… Benjamin Kaduk
- Re: [kitten] New Version Notification for draft-k… Martin Rex
- Re: [kitten] New Version Notification for draft-k… Martin Rex
- Re: [kitten] New Version Notification for draft-k… Benjamin Kaduk
- Re: [kitten] New Version Notification for draft-k… Benjamin Kaduk
- Re: [kitten] New Version Notification for draft-k… Martin Rex
- Re: [kitten] New Version Notification for draft-k… Nico Williams
- Re: [kitten] New Version Notification for draft-k… Nico Williams
- Re: [kitten] New Version Notification for draft-k… Jeffrey Hutzelman
- Re: [kitten] RFC 2744 Appendix A erratum Benjamin Kaduk
- Re: [kitten] RFC 2744 Appendix A erratum Martin Rex
- Re: [kitten] New Version Notification for draft-k… Jeffrey Hutzelman
- Re: [kitten] New Version Notification for draft-k… Nico Williams
- Re: [kitten] New Version Notification for draft-k… Benjamin Kaduk
- Re: [kitten] New Version Notification for draft-k… Nico Williams
- Re: [kitten] New Version Notification for draft-k… Benjamin Kaduk