Re: Working Group Last Call: draft-ietf-kitten-krb5-gssapi-prf-02.txt and draft-ietf-kitten-gssapi-prf-02.txt

[Nicolas Williams <Nicolas.Williams at sun.com>]

On Thu, Apr 14, 2005 at 04:56:25PM -0400, Sam Hartman wrote:
> >>>>> "Jeffrey" == Jeffrey Altman <jaltman at columbia.edu> writes:
> 
>     Jeffrey> (2) Appropriate text specifying how the key usage for the
>     Jeffrey> Krb5 PRF function will be determined must be added.
> 
> RFc 3961 does not have keyusage for PRF.

Note that the key usage in question is for the krb5 _mechanism_'s GSS
PRF, not the kcrypto PRF.  Given that, what impact does the lack of a
key usage for the kcrypto prf have, in your opinion, on this I-D?

> Like Nico, I am concerned that our decision not to support prf_ready
> for the krb5 prf may be problematic.  I am not advocating a change
> now, but I'm concerned that the issue needs more consideration.
> Clearly as one of the people asking for the PRF documents to move, I
> should try to form a better opinion during the WGLC.

Please do :)

Due to the fact that for the krb5 mechanism there is no such thing, on
the _acceptor_ side, as a partially established security context, the
only ways I can see to specify a PRF_READY feature would be to either
add an argument to GSS_PRF() so a pre-full-establishment key can be
used, OR a mechanism-specific extension.

I agree that, in light of the recently discussed complication created by
SPNEGO, it would be nice to have a PRF_READY feature.

Nico
-- 

_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten