IETF Logo Mail Archive

Re: KITTEN: IETF 75 - 76

Love Hörnquist Åstrand <lha@kth.se> Mon, 17 August 2009 16:50 UTC

Return-Path: <lha@kth.se>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D83428C277 for <kitten@core3.amsl.com>; Mon, 17 Aug 2009 09:50:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.949
X-Spam-Level:
X-Spam-Status: No, score=-5.949 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gzLmBmdyCbGE for <kitten@core3.amsl.com>; Mon, 17 Aug 2009 09:50:18 -0700 (PDT)
Received: from smtp-1.sys.kth.se (smtp-1.sys.kth.se [130.237.32.175]) by core3.amsl.com (Postfix) with ESMTP id 5274428C288 for <kitten@ietf.org>; Mon, 17 Aug 2009 09:50:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp-1.sys.kth.se (Postfix) with ESMTP id 77AC9155B56; Mon, 17 Aug 2009 18:49:50 +0200 (CEST)
X-Virus-Scanned: by amavisd-new at kth.se
Received: from smtp-1.sys.kth.se ([127.0.0.1]) by localhost (smtp-1.sys.kth.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 9AhRaeE40+5l; Mon, 17 Aug 2009 18:49:48 +0200 (CEST)
Received: from [10.0.1.6] (c80-216-69-25.bredband.comhem.se [80.216.69.25]) by smtp-1.sys.kth.se (Postfix) with ESMTP id 436D615590F; Mon, 17 Aug 2009 18:49:39 +0200 (CEST)
Subject: Re: KITTEN: IETF 75 - 76
Mime-Version: 1.0 (Apple Message framework v1075.2)
Content-Type: multipart/alternative; boundary="Apple-Mail-183--509845363"
From: Love Hörnquist Åstrand <lha@kth.se>
In-Reply-To: <20090816235122.GP1043@Sun.COM>
Date: Mon, 17 Aug 2009 18:49:37 +0200
Message-Id: <77312362-85D0-4BDC-AD16-28450B38C5CB@kth.se>
References: <4A87A69A.3050408@sun.com> <20090816235122.GP1043@Sun.COM>
To: Nicolas Williams <Nicolas.Williams@sun.com>
X-Mailer: Apple Mail (2.1075.2)
Cc: "kitten@ietf.org" <kitten@ietf.org>, Shawn M Emery <Shawn.Emery@sun.com>
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2009 16:50:20 -0000

17 aug 2009 kl. 01:51 skrev Nicolas Williams:

> On Sun, Aug 16, 2009 at 12:26:34AM -0600, Shawn M Emery wrote:
>> Love had given a set of new work items that would be of interest, as
>> follows:
>>
>>   1. initialization/new credentials
>>   2. listing/iterating credentials
>>   3. exporting/importing credentials
>
> (1) is a complex matter as it requires interaction with users and  
> needs
> to cover such things as principal name, password, new password, PIN,  
> PIN
> change and other prompts.  A design is certainly possible.
>
> (2) is really listing of principal names for which the caller has
> credentials (we can already list mechanisms for which the caller has
> credentials).  This is likely a difficult thing to design since we  
> will
> want to be able to control what principals GSS_Accept_sec_context()  
> can
> accept sec contexts for, and that means a significant revamp of the
> semantics of CREDENTIAL HANDLEs _or_ a replacement for
> GSS_Accept_sec_context().

accept sec context is not really intresting since it doesn't make  
thinks not work. init sec context however it mostly useless since the  
consumers don't know about what credentials they have.

have a list of mechs there is credentials for is also mostly useless,  
i have lha@SU.SE (Kerberos), SU.SE\lha (NTLM), KTH.SE (Kerberos) E.KTH.SE 
  (sasl-digest-md5),  
lha@LKDC.SHA1:EA35DAB08BD8EC833C160FAFCDF03E4B13F72D6B (Kerberos) any  
many other, knowing that I have some Kerberos credentals is mostly  
useless.

Its not even possible to build ui to do specific selection, or  
selection other then providing a text field that you can do  
gss_import_name(GSS_C_NT_USER) on and hope that it work.

>>   4. error message reporting
>
> Yes.  (I still believe in the "PGSSAPI" idea where, in the C bindings,
> we change the semantics and type of the minor_status argument,  
> though in
> a binary backwards compatible way.  I can expand if desired.)

Lets redo the api, ISC is broken as it since there is no way to add  
new tokens.

>>   5. asynchronous calls
>
> Developers can use threads to work around the lack of these, so it  
> seems
> to me that these should be a lower priority.

I disagree, threads consume lots of resources that and are very  
complicated to use.

>> ...along with Alexey's recent request for policy/encryption strength.
>
> Yes.  This should be, IMO, a high priority.

And not over engineered. Let's solve the SASL problem and nothing more.

>> We are looking for authors and editors for any of these new items or
>> something else that you would like to see developed within KITTEN.
>
> I'll edit, but I need co-authors who'll contribute text, API designs,
> and energy to the list.

Love

v2.23.0 | Report a Bug | By Email