Re: [nfsv4] Last call start for "RPCSEC_GSS Version 2"
"Mike Eisler" <mre-ietf@eisler.com> Fri, 13 June 2008 20:21 UTC
Return-Path: <nfsv4-bounces@ietf.org>
X-Original-To: nfsv4-archive@megatron.ietf.org
Delivered-To: ietfarch-nfsv4-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3FB803A690F; Fri, 13 Jun 2008 13:21:18 -0700 (PDT)
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26C373A688F for <nfsv4@core3.amsl.com>; Fri, 13 Jun 2008 13:21:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0aOMUUzerjAZ for <nfsv4@core3.amsl.com>; Fri, 13 Jun 2008 13:21:15 -0700 (PDT)
Received: from webmail5.dreamhost.com (sd-green-dreamhost-133.dreamhost.com [208.97.187.133]) by core3.amsl.com (Postfix) with ESMTP id CF6C93A690F for <nfsv4@ietf.org>; Fri, 13 Jun 2008 13:21:15 -0700 (PDT)
Received: from webmail.eisler.com (localhost [127.0.0.1]) by webmail5.dreamhost.com (Postfix) with ESMTP id AAFB45B6B8 for <nfsv4@ietf.org>; Fri, 13 Jun 2008 13:21:48 -0700 (PDT)
Received: from 198.95.226.230 (SquirrelMail authenticated user mre-ietf@eisler.com) by webmail.eisler.com with HTTP; Fri, 13 Jun 2008 13:21:48 -0700 (PDT)
Message-ID: <47515.198.95.226.230.1213388508.squirrel@webmail.eisler.com>
In-Reply-To: <20080611231608.GA2735@Sun.COM>
References: <559831BE-8E35-43E4-911C-EE570E511C38@Sun.COM> <20080611231608.GA2735@Sun.COM>
Date: Fri, 13 Jun 2008 13:21:48 -0700
From: Mike Eisler <mre-ietf@eisler.com>
To: nfsv4@ietf.org
User-Agent: SquirrelMail/1.4.10a
MIME-Version: 1.0
Subject: Re: [nfsv4] Last call start for "RPCSEC_GSS Version 2"
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: nfsv4-bounces@ietf.org
Errors-To: nfsv4-bounces@ietf.org
On Wed, June 11, 2008 4:16 pm, Nicolas Williams wrote: > On Mon, Jun 02, 2008 at 11:30:43PM -0500, Spencer Shepler wrote: >> http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-rpcsec-gss-v2-03.txt > > - rbcva_chan_bind_hash_oid, should we actually need it (see below) > should be described as containing the DER encoding of an OID. > > - But I don't think we need to hash the channel bindings at all > because: a) gss_get/verify_mic() can handle large amounts of input > data anyways, thus no need to hash it down, b) using a hash adds > complexity (including hash agility considerations), c) channel > bindings will typically be hashed data to begin with[*]. OK, I'm very confused. You wrote on April 21: ``The primary change here is this: rather than use the raw public keys I want to use a hash of them. The main reason is: so keeping channel binding data in kernel mode implementations is not too difficult (by reducing the size of the data to keep around). Hash agility is pushed to the application, which will require a change to RPCSEC_GSSv2 (which is still an I-D and has not progressed yet).'' The current RPCSEC_GSSv2 i-d is consistent with what you wrote on April 21. But you didn't say how you wanted the RPCSEC_GSSv2 changed. So in absence of guidance, this is what you get. As for "typically be hashed data" that's not good enough. RPCSEC_GSS creds and verifiers are limited to 400 bytes. Public keys can easily exceed 400 bytes. So your original instincts from April 21 seem correct. -- Mike Eisler, Senior Technical Director, NetApp, 719 599 9026, http://blogs.netapp.com/eislers_nfs_blog/ _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Last call start for "RPCSEC_GSS Version 2" Spencer Shepler
- Re: [nfsv4] Last call start for "RPCSEC_GSS Versi… Mike Eisler
- Re: [nfsv4] Last call start for "RPCSEC_GSS Versi… Nicolas Williams
- Re: [nfsv4] Last call start for "RPCSEC_GSS Versi… Nicolas Williams
- Re: [nfsv4] Last call start for "RPCSEC_GSS Versi… Nicolas Williams
- Re: [nfsv4] Last call start for "RPCSEC_GSS Versi… Mike Eisler
- Re: [nfsv4] Last call start for "RPCSEC_GSS Versi… Mike Eisler
- Re: [nfsv4] Last call start for "RPCSEC_GSS Versi… Nicolas Williams
- Re: [nfsv4] Last call start for "RPCSEC_GSS Versi… Mike Eisler
- Re: [nfsv4] Last call start for "RPCSEC_GSS Versi… Nicolas Williams
- Re: [nfsv4] Last call start for "RPCSEC_GSS Versi… Mike Eisler
- Re: [nfsv4] Last call start for "RPCSEC_GSS Versi… Spencer Shepler