Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement
Nicolas Williams <Nicolas.Williams@sun.com> Fri, 13 October 2006 21:37 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GYUiy-0005l8-0M; Fri, 13 Oct 2006 17:37:48 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GYUiu-0005fN-Pk for spkm@ietf.org; Fri, 13 Oct 2006 17:37:44 -0400
Received: from brmea-mail-3.sun.com ([192.18.98.34]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GYUXt-0000Zo-7A for spkm@ietf.org; Fri, 13 Oct 2006 17:26:22 -0400
Received: from centralmail4brm.central.Sun.COM ([129.147.62.198]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id k9DLQKs8007788 for <spkm@ietf.org>; Fri, 13 Oct 2006 15:26:20 -0600 (MDT)
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by centralmail4brm.central.Sun.COM (8.13.6+Sun/8.13.6/ENSMAIL, v2.2) with ESMTP id k9DLQJVn009116 for <spkm@ietf.org>; Fri, 13 Oct 2006 15:26:20 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.13.6+Sun/8.13.6) with ESMTP id k9DLQJNf016036; Fri, 13 Oct 2006 16:26:19 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.13.6+Sun/8.13.6/Submit) id k9DLQJ3F016035; Fri, 13 Oct 2006 16:26:19 -0500 (CDT)
Date: Fri, 13 Oct 2006 16:26:19 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Razvan Trufasiu <Razvan.Trufasiu@hummingbird.com>
Subject: Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement
Message-ID: <20061013212618.GD12284@binky.Central.Sun.COM>
References: <BFBFA757A7B953449AD27E2721514FF205925B60@tor01x5.hcl.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BFBFA757A7B953449AD27E2721514FF205925B60@tor01x5.hcl.com>
User-Agent: Mutt/1.5.7i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Cc: "'William A.(Andy) Adamson'" <andros@citi.umich.edu>, Dan Trufasiu <Dan.Trufasiu@hummingbird.com>, "'spkm@ietf.org'" <spkm@ietf.org>, 'Olga Kornievskaia' <aglo@citi.umich.edu>
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org
On Thu, Oct 12, 2006 at 06:36:07PM -0400, Razvan Trufasiu wrote: > My name is Razvan Trufasiu, and I am in charge of developing an > SPKM-3/LIPKey implementation for the Hummingbird NFS Maestro server. Excellent. Nice to meet you. > At the moment, Hummingbird NFSv4 implementation supports anonymous SPKM-3 > and LIPKey, and the next version will hopefully implement mutual SPKM-3. Any > of these are based upon the specs released in early 2006. The specs have > already changed, from my understanding; however, updating the code to > support this should be simple. For interoperability, currently Olga and I > managed to run several Connectathon tests successfully, without Integrity or > Privacy. We can connect (tentatively) with Integrity, and are working on > being able to connect with Privacy, and run all the tests. There are several > problems we are currently still addressing. You may want to adapt Microsoft's GSS-MONGER test suite. The Connectathon tests test NFS use of GSS-API mechanisms, but lack a thourough test of GSS mechanisms vis-a-vis the GSS-APIv2u1. I believe Martin Rex has a test suite that you might be able to get access too. > The reason we have chosen to implement SPKM-3 or LIPKey is to provide an > alternative GSS implementation to Kerberos v5. I'm with you. > Kerberos is often difficult > to set up, and the overhead of having a separate Kerberos server, in > addition to the NFS client/server can be cumbersome for certain users. I don't think this is the reason for wanting other mechanisms. But it doesn't matter -- I agree that mechanisms based on credential types other than Kerberos V tickets are desirable. > LIPKey and anonymous SPKM-3 are easy to set up and quick to deploy, even on > large networks, without compromising the main security of GSS (although the > anonymous part of either protocol does come with some problems, such as > anonymous SPKM not doing any sort of client-side security checks). It would > also be a huge asset if the implementation of this protocol turns out to be > faster and more performing than Kerberos v5 (which it is not at the moment). There is the matter of distributing trust anchors, CRLs/OCSP, etc... I don't think mechanism performance is an issue here. SPKM performance should be roughly comparable to TLS, SSHv2, etc... Given its use of public key cryptographic it certainly could not be much faster than existing secure protocols that also use public key cryptographic. Given use of PKIX then there's the whole CRL/OCSP ball of wax too, that can impact performance. Yes, some Kerberos V implementations suffer from, for example, poorly performing replay caches, which SPKM-3 should not need, so there's always a possibility that some SPKM-3 implementations could be faster than certain Kerberos V mechanism implementations. Bottom-line: SPKM isn't needed for performance reasons. Nico -- _______________________________________________ SPKM mailing list SPKM@ietf.org https://www1.ietf.org/mailman/listinfo/spkm
- [SPKM] [67th IETF] SPKM3 BOF announcement Olga Kornievskaia
- [SPKM] Re: [67th IETF] SPKM3 BOF announcement Nicolas Williams
- Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement Mike Eisler
- Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement Nicolas Williams
- Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement Mike Eisler
- Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement Nicolas Williams
- Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement William A.(Andy) Adamson
- Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement Nicolas Williams
- RE: [SPKM] Re: [67th IETF] SPKM3 BOF announcement Razvan Trufasiu
- Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement Mike Eisler
- Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement Nicolas Williams
- Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement Nicolas Williams