IETF Logo Mail Archive

Re: [SPKM] Re: [TLS] DTLS and GSS-API

Sam Hartman <hartmans-ietf@mit.edu> Sun, 05 November 2006 19:42 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ggnsa-0007vB-7n; Sun, 05 Nov 2006 14:42:04 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GgnsY-0007v0-Ld; Sun, 05 Nov 2006 14:42:02 -0500
Received: from [130.129.68.116] (helo=carter-zimmerman.mit.edu) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GgnsX-0006r9-BZ; Sun, 05 Nov 2006 14:42:02 -0500
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 20EE6E0038; Sun, 5 Nov 2006 14:41:53 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: martin.rex@sap.com
Subject: Re: [SPKM] Re: [TLS] DTLS and GSS-API
References: <200611032025.VAA17840@uw1048.wdf.sap.corp>
Date: Sun, 05 Nov 2006 14:41:53 -0500
In-Reply-To: <200611032025.VAA17840@uw1048.wdf.sap.corp> (Martin Rex's message of "Fri, 3 Nov 2006 21:25:38 +0100 (MET)")
Message-ID: <tslk629he9q.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 69a74e02bbee44ab4f8eafdbcedd94a1
Cc: tls@ietf.org, spkm@ietf.org
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org

>>>>> "Martin" == Martin Rex <martin.rex@sap.com> writes:
    >> 
    >> An alternate proposal for solving this problem was discussed in
    >> the past: construct a GSS-API mechanism based on DTLS.
    >> Advantages of this solution include reuse of code and
    >> specification between GSS-API and TLS implementations.  When
    >> new ciphers are specified for TLS they would be available for
    >> NFS.  We would not need to keep updating a GSS mechanism as
    >> public-key algorithms evolve and problems are found.
    >> 
    >> There are two main drawbacks I've heard to the DTLS proposal.
    >> First, we don't have a draft.  Second, it would not be
    >> interoperable with SPKM-3 deployments.

    Martin> There is a substantial difference between GSS-API and TLS
    Martin> which should not be ignored: In the GSS-API architecture,
    Martin> context level tokens (which exchange cryptographic
    Martin> material and perform the authentication) can only be
    Martin> exchanged at the beginning.

    Martin> After a security context has been established, the message
    Martin> flow depends entirely on the communication characteristics
    Martin> of the application, and may be entirey uni-directional and
    Martin> may preclude even alien attempts of a gssapi mechanism to
    Martin> piggy-back context-token on protected message tokens.

    Martin> With TLS, on the other hand, each of the communication
    Martin> peers may request a renegotiation of context parameters at
    Martin> (almost) any time during the communication.


I talked to Eric about this in another context.  He claimed that as a
practical matter it does not work if animplementation does a new
handshake without the cooperation of the upper-layer application.  You
are correct though that a DTLS GSS-API mechanism could only be
specified on the standards track if this issue were dealt with in some
manner that preserved the GSS-API model.


_______________________________________________
SPKM mailing list
SPKM@ietf.org
https://www1.ietf.org/mailman/listinfo/spkm

v2.23.0 | Report a Bug | By Email