Re: [SPKM] Re: [TLS] DTLS and GSS-API
Sam Hartman <hartmans-ietf@mit.edu> Sun, 05 November 2006 19:42 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ggnsa-0007vB-7n; Sun, 05 Nov 2006 14:42:04 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GgnsY-0007v0-Ld; Sun, 05 Nov 2006 14:42:02 -0500
Received: from [130.129.68.116] (helo=carter-zimmerman.mit.edu) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GgnsX-0006r9-BZ; Sun, 05 Nov 2006 14:42:02 -0500
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 20EE6E0038; Sun, 5 Nov 2006 14:41:53 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: martin.rex@sap.com
Subject: Re: [SPKM] Re: [TLS] DTLS and GSS-API
References: <200611032025.VAA17840@uw1048.wdf.sap.corp>
Date: Sun, 05 Nov 2006 14:41:53 -0500
In-Reply-To: <200611032025.VAA17840@uw1048.wdf.sap.corp> (Martin Rex's message of "Fri, 3 Nov 2006 21:25:38 +0100 (MET)")
Message-ID: <tslk629he9q.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 69a74e02bbee44ab4f8eafdbcedd94a1
Cc: tls@ietf.org, spkm@ietf.org
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org
>>>>> "Martin" == Martin Rex <martin.rex@sap.com> writes: >> >> An alternate proposal for solving this problem was discussed in >> the past: construct a GSS-API mechanism based on DTLS. >> Advantages of this solution include reuse of code and >> specification between GSS-API and TLS implementations. When >> new ciphers are specified for TLS they would be available for >> NFS. We would not need to keep updating a GSS mechanism as >> public-key algorithms evolve and problems are found. >> >> There are two main drawbacks I've heard to the DTLS proposal. >> First, we don't have a draft. Second, it would not be >> interoperable with SPKM-3 deployments. Martin> There is a substantial difference between GSS-API and TLS Martin> which should not be ignored: In the GSS-API architecture, Martin> context level tokens (which exchange cryptographic Martin> material and perform the authentication) can only be Martin> exchanged at the beginning. Martin> After a security context has been established, the message Martin> flow depends entirely on the communication characteristics Martin> of the application, and may be entirey uni-directional and Martin> may preclude even alien attempts of a gssapi mechanism to Martin> piggy-back context-token on protected message tokens. Martin> With TLS, on the other hand, each of the communication Martin> peers may request a renegotiation of context parameters at Martin> (almost) any time during the communication. I talked to Eric about this in another context. He claimed that as a practical matter it does not work if animplementation does a new handshake without the cooperation of the upper-layer application. You are correct though that a DTLS GSS-API mechanism could only be specified on the standards track if this issue were dealt with in some manner that preserved the GSS-API model. _______________________________________________ SPKM mailing list SPKM@ietf.org https://www1.ietf.org/mailman/listinfo/spkm
- [SPKM] DTLS and GSS-API Sam Hartman
- Re: [SPKM] DTLS and GSS-API Jeffrey Hutzelman
- Re: [SPKM] DTLS and GSS-API Nicolas Williams
- [SPKM] RE: [TLS] DTLS and GSS-API Liqiang(Larry) Zhu
- Re: [SPKM] RE: [TLS] DTLS and GSS-API Nicolas Williams
- [SPKM] Re: [TLS] DTLS and GSS-API Martin Rex
- Re: [SPKM] Re: [TLS] DTLS and GSS-API Sam Hartman
- Re: [SPKM] Re: [TLS] DTLS and GSS-API Nicolas Williams