IETF Logo Mail Archive

Re: KITTEN: IETF 75 - 76

Martin Rex <Martin.Rex@sap.com> Mon, 17 August 2009 23:02 UTC

Return-Path: <Martin.Rex@sap.com>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 570683A6F4A for <kitten@core3.amsl.com>; Mon, 17 Aug 2009 16:02:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.587
X-Spam-Level:
X-Spam-Status: No, score=-5.587 tagged_above=-999 required=5 tests=[AWL=0.662, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TPHQTtEHtDLe for <kitten@core3.amsl.com>; Mon, 17 Aug 2009 16:02:05 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 5C1E528C2A4 for <kitten@ietf.org>; Mon, 17 Aug 2009 16:02:05 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id n7HN28fV004368 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 18 Aug 2009 01:02:08 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200908172302.n7HN27Nx008325@fs4113.wdf.sap.corp>
Subject: Re: KITTEN: IETF 75 - 76
To: leifj@mnt.se
Date: Tue, 18 Aug 2009 01:02:07 +0200
In-Reply-To: <200908180013.29152.leifj@mnt.se> from "Leif Johansson" at Aug 18, 9 00:13:28 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: kitten@ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2009 23:02:06 -0000

Leif Johansson wrote:
> 
> That was exporting unfinished contexts actually - slightly different.

exporting&importing unfinished security contexts will usually
break the gssapi architecture.

The context establishement calls take a number of arguments
that must be the same for the initial and all iteration calls,
and it is an implementation issue at which point which of these
parameters is accessed.

Fully established security contexts do not normally need access to
credentials (the gss_cred_id_t that was provided to gss_init_sec_context
or gss_accept_sec_context can be released when the security context
establishment has completed or failed).

During security context establishment, access to credentials might
be necessary at various stages, and the caller would have to
make sure the parameters during each iteration call are the same
as during the first call.

Credentials that are stored on a hardware token are often not
transferable, and also may require a serialization of the access.


> 
> >
> > >    4. error message reporting
> > >    5. asynchronous calls
> >
> > The last 2 are generally required for use by modern applications.
> 
> hmm, is asynchronous calls related to exportable contexts perhaps...?


What exactly do you mean by asynchronous calls??

GSS-API does not include message transport, so all calls are
by definition asynchronous.


Or were you thinking about the Kerberos 5 gssapi mechanisms communication
with the KDC during gss_init_sec_context() (and possibly during
gss_acquire_cred for some newer implementations)?


-Martin

v2.23.0 | Report a Bug | By Email