IETF Logo Mail Archive

Re: [kitten] Clarification of gss_add_cred() behavior

Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 19 March 2015 19:40 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4788E1A8BC0 for <kitten@ietfa.amsl.com>; Thu, 19 Mar 2015 12:40:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkG7MLcTv_My for <kitten@ietfa.amsl.com>; Thu, 19 Mar 2015 12:40:04 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D1771A8BC1 for <kitten@ietf.org>; Thu, 19 Mar 2015 12:40:04 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id C4079283011; Thu, 19 Mar 2015 19:40:02 +0000 (UTC)
Date: Thu, 19 Mar 2015 19:40:02 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: kitten@ietf.org
Message-ID: <20150319194002.GG4309@mournblade.imrryr.org>
References: <20150319025202.GB8099@localhost> <alpine.GSO.1.10.1503191446260.3953@multics.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.GSO.1.10.1503191446260.3953@multics.mit.edu>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/r1CQx0S24nQL7toNBgusPqsathY>
Subject: Re: [kitten] Clarification of gss_add_cred() behavior
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: kitten@ietf.org
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2015 19:40:06 -0000

On Thu, Mar 19, 2015 at 02:48:44PM -0400, Benjamin Kaduk wrote:

> > I think this must have been a drafting error.  It's obvious to me, but
> > maybe someone has a very different opinion as to this (Martin?).
> 
> But a GSS credential can only represent a single identity ("entity", see
> 1.1.1.1)!  Identities are represented by (non-mechanism) names, so it is
> not clear to me that this is a drafting error.  If you know what name you
> want credentials for, you should use it.

The situation as I understand it is as follows.

    1. gss_add_cred() is intended to build a credential handle
       *incrementally*, adding credentials one mechanism at a time.
       Either for a default name, or for an explicit name that
       agrees with any previous credentials in the input handle.

    2. For this interface to be useful, the initial state one must
       be able to start with an empty credential handle and build up
       from there.  This presumably is specified via a NULL input
       credential, and still the same name for which one wants
       creds.

    3. So how are the desired "name" and "mech" used when going
       from no creds (NULL input handle) to a handle with a first
       credential element?

    4.  The text says that a default credential handle is implicitly
	constructed with GSS_C_NO_NAME, and we add to that!  But what
	if the acquired default credential has a conflicting name, and
	potentially already has elements for the same or other mechanisms?

	What is that text really trying to say, and why?

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email